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Preface 



ACISP 2001, the Sixth Australasian Conference on Information Security and Pri- 
vacy, was held in Sydney, Australia. The conference was sponsored by Informa- 
tion and Networked System Security Research (INSSR), Macquarie University, 
the Australian Computer Society, and the University of Western Sydney. I am 
grateful to all these organizations for their support of the conference. 

The aim of this conference was to draw together researchers, designers, and 
users of information security systems and technologies. The conference program 
addressed a range of aspects from system and network security to secure Internet 
applications to cryptography and cryptanalysis. This year the program commit- 
tee invited two international keynote speakers Dr. Yacov Yacobi from Microsoft 
Research (USA) and Dr. Clifford Neumann from the University of Southern 
California (USA). Dr. Yacobi’s talk addressed the issues of trust, privacy, and 
anti-piracy in electronic commerce. Dr. Neumann’s address was concerned with 
authorization policy issues and their enforcement in applications. 

The conference received 91 papers from America, Asia, Australia, and Eu- 
rope. The program committee accepted 38 papers and these were presented 
in some 9 sessions covering system security, network security, trust and access 
control, Authentication, cryptography, cryptanalysis. Digital Signatures, Elliptic 
Curve Based Techniques, and Secret Sharing and Threshold Schemes. This year 
the accepted papers came from a range of countries, including 7 from Australia, 
8 from Korea, 7 from Japan, 3 from UK, 3 from Germany, 3 from USA, 2 from 
Singapore, 2 from Canada and 1 from Belgium, Estonia, and Taiwan. 

Organizing a conference such as this one is a time-consuming task and I would 
like to thank all the people who worked hard to make this conference a success. 
In particular, I would like to thank Program Co-chair Yi Mu for his tireless work 
and the members of the program committee for putting together an excellent 
program, and all the session chairs and speakers for their time and effort. Special 
thanks to Yi Mu, Laura Olsen, Rajan Shankaran, and Michael Hitchens for 
their help with local organization details. Finally, I would like to thank all the 
authors who submitted papers and all the participants of ACISP 2001. I hope 
that the professional contacts made at this conference, the presentations, and 
the proceedings have offered you insights and ideas that you can apply to your 
own efforts in security and privacy. 
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A Few Thoughts on E-Commerce 

Keynote Lecture 



Yacov Yacobi 
Microsoft Research, USA 



Abstract. I discuss a few notions related to e-commerce, such as: trust, 
privacy, and the economies of piracy and anti-piracy. 



Trust 

We have been using the term trust without any quantification for a long time. 
We need a technical term that will capture some of its meaning and enable 
quantification. The parallel may be Shannon’s quantification of Information. It 
does not capture all of the meaning of information, but is useful enough. I suggest 
equating the amount of trust that a system needs with the value that this system 
is supposed to protect. It seems to me that we cannot get around this. We may 
push trust in different directions, we may distribute it, but we cannot do without 
it. For example, one important difference between symmetric and asymmetric 
key cryptography, is that the latter assigns trust to potentially more trustworthy 
entities. 

Privacy 

ID theft is the major issue; much more so than exposure of shopping patterns. 
ID-theft occurs when somebody issues a credit card on my name, max it out, 
and disappears, leaving me with the tedious task of salvaging my credit profile 
(most of the $$ damage is eaten by the credit card company). It happens because 
today when we want to prove that we know some secret, we expose it. The annual 
dollar amount in damages is already in many Billions, and rapidly increasing. 

Public Key cryptosystems make it possible to prove knowledge of secrets 
without exposing them. Widespread deployment of PKI will solve most of this 
problem. 

But the privacy issue that gets the headlines is exposure of shopping patterns. 
Long ago we traded this kind of privacy for credit. Credit card companies know 
what, where and when we buy, in real time. They can trace us better than the 
KGB in their heydays could trace citizens of the Soviet Union. We could use 
cash and avoid it, but we overwhelmingly chose the convenience of credit. Later 
we chose to trade even more of our location privacy, for mobility. The cell phone 
companies can now trace our physical location to within a few hundred feet on 
a continuous basis. 
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Now we have to choose a tradeoff between privacy and bandwidth. The band- 
width bottleneck is in our heads; there is only so much that we can absorb in 
a day. Some knowledge of our shopping patterns can help in targeted ads that 
will alleviate this bottleneck. My bet is that if done well, and if users are free to 
choose, most of them will choose to trade some privacy for this service. 

On the Economies of Piracy and Anti-piracy 

We consider the following players in the piracy game: Defense and offense which 
is further subdivided into transmitters and receivers of piracy. We assume that 
all the players are economically rational, and try to maximize their profits. With 
each player we associate an inequality of the general type costs j profits. We scale 
the inequality per a client machine. Let v denote the average aggregate value of 
protected objects on a client machine. Each offense player has a different cost of 
attack per machine, which is compared to v. A system for which the inequality 
holds for every player is sound. We consider active and passive protected objects 
(SW and content, respectively). We consider two types of protecting systems: 
open and closed systems. The former can run protected and unprotected objects. 
The latter runs only protected objects. A non-protecting system is promiscuous. 

Napster-like systems are covered in the sense that if the Napster offense 
were economically motivated (either receivers or transmitters) then sound sys- 
tems would deter them. Offenders who are not economically motivated (vandals) 
would not be deterred by a sound system no matter what the delivery mechanism 
is. We outline a few open problems on the way to sound anti-piracy systems. 
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Abstract. This paper is concerned with a particular type of attack 
against CBC-MACs, namely forgery attacks, i.e. attacks which enable an 
unauthorised party to obtain a MAC on a data string. Existing forgery 
attacks against CBC-MACs are briefly reviewed, together with the effec- 
tiveness of various countermeasures. This motivates the main part of the 
paper, where a family of new forgery attacks are described, which raise 
serious questions about the effectiveness of certain countermeasures. 



1 Introduction 

1.1 Use of MACs 

MACs, i.e. Message Authentieation Codes, are a widely used method for protect- 
ing the integrity and guaranteeing the origin of transmitted messages and stored 
files. To use a MAC it is necessary for the sender and recipient of a message (or 
the creator and verifier of a stored file) to share a secret key K, chosen from 
some (large) keyspace. The data string to be protected, D say, is input to a 
MAC function /, along with the secret key K, and the output is the MAC. We 
write MAC = fK{D). The MAC is then sent or stored with the message. 

1.2 A Model for CBC-MACs 

MACs are most commonly computed using a block cipher in a scheme known 
as a CBC-MAC (for Cipher Block Chaining MAC). This name derives from the 
CBC ‘mode of operation’ for block ciphers, and a CBC-MAC is computed using 
the same basic process. There are several variants of the CBC-MAC, although 
the following general model (see P0) covers most of these. 

The computation of a CBC-MAC on a bit string D using a block cipher with 
block length n, uses the following six steps. 

1. Padding. The data string D is subjected to a padding process, involving the 
addition of bits to D, the output of which (the padded string) is a bit string 
of length an integer multiple of n (say qn) . 

* The views expressed in this paper are personal to the author and not necessarily 
those of Visa International 
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2. Splitting. The padded string is divided (or ‘split’) into a series of n-bit blocks, 

Dl, D2, ■ ■ ■ , Dq. 

3. Initial transformation. Initial transformation /, which may be key-controlled, 
is applied to Di to give the first chaining variable Hi, i.e. 

Hi = I{Di). 

4. Iteration. Successive chaining variables are computed as 

Hi = eK{Di®Hi_i) 

for i := 2,3,...,q, where, as throughout, iC is a block cipher key, eK{X) 
and dK^X) denote block cipher encryption and decryption of block X with 
key K, and 0 denotes bit-wise exclusive-or of blocks. 

5. Output transformation. The n-bit Output bloek G is computed as 

G = g{Hq) 

where g is the output transformation (which may be key-controlled) . 

6. Truneation. The MAC is set equal to the leftmost m bits of G. 

Most CBC-MACs adhere to this model, and such MACs will be the main focus 
of this paper. 

1.3 Types of CBC-MAC Scheme 

The latest version of the relevant international standard, namely ISO/IEC 9797- 
1, contains six different CBC-MAC variants. These are based on combinations 
of two Initial transformations and three Output transformations. 

— Initial transformation 1 is defined as: 

I{Di) = eK{Di) 

where K is the same key as used in the Iteration step. I.e. Initial transfor- 
mation 1 is the same as the Iteration step, and is the one used in both the 
original CBC-MAC, as defined in ANSI X9.9, 0, and CBC-MAC-Y (also 
known as the ANSI Retail MAC), standardised in ANSI X9.19, 0. 

— Initial transformation 2 is defined as: 



I{Di) = eK"{eK{Di)) 

where K is the same key as used in the Iteration step, and K" is a block 
cipher key distinct from K . 

— Output transformation 1 is defined as: 

9{Hq) = Hq, 

i.e. Output transformation 1 is the identity transformation, and is the one 
used in the original CBC-MAC, 0. 
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— Output transformation 2 is defined as: 

g{H,) = eK'{H,), 

where K' is a block cipher key distinct from K. 

— Output transformation 3 is defined as: 

g{Hq) = eK{dK'{Hq)), 

where K' is a block cipher key distinct from K . Output transformation 3 is 
the one used in CBC-MAC-Y, 0. 

These options are combined in the ways described in Table E to yield four of 
the six different CBC-MAC schemes defined in ISO/IEC 9797-1, [IJ. Note that 
algorithms 5 and 6 do not fit the general MAC model given above; as a result 
we do not consider these last two algorithms further in this paper. 



Table 1. CBC-MAC schemes defined in ISO/IEC 9797-1 



Algorithm 

number 


Input 

transfor- 

mation 


Output 

transfor- 

mation 


Notes 


1 


1 


1 


The ‘original’ CBC-MAC scheme. 


2 


1 


2 


K' may be derived from K. 


3 


1 


3 


CBC-MAC-Y. The values of K and K' shall be 








chosen independently. 


4 


2 


2 


K" shall be derived from K' in such a way that 








K' / K". 



Finally note that three Padding Methods are also defined in p. Padding 
Method 1 simply involves adding between 0 and n — 1 zeros, as necessary, to the 
end of the data string. Padding Method 2 involves the addition of a single 1 bit 
at the end of the data string followed by between 0 and n — 1 zeros. Padding 
Method 3 involves prefixing the data string with an n-bit block encoding the bit 
length of the data string, with the end of the data string padded as in Padding 
Method 1. 

When using one of the six MAC algorithms it is necessary to choose one of 
the three padding methods, and the degree of truncation to be employed. All 
three Padding Methods can be deployed with all six MAC algorithms. 

In the remainder of this paper the discussions primarily apply to MAC al- 
gorithms 1-4 from ISO/IEC 9797-1, used with Padding Methods 1-3. We also 
use the terminology of ISO/IEC 9797-1. In fact, these algorithms cover almost 
all CBC-MAC variants in common use today. 
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2 Attacks on CBC-MACs 

There are two main types of attack on MAC schemes. 

— In a MAC forgery attack 0, an unauthorised party is able to obtain a valid 
MAC on a message which has not been produced by the holders of the 
secret key. Typically the attacker will need a number of valid MACs and 
corresponding messages to use to obtain the forgery. 

— A key reeovery attack enables the attacker to obtain the secret key used 
to generate one or more MACs. Note that a successful key recovery attack 
enables the construction of arbitrary numbers of forgeries. 

We introduce a simple way of quantifying the effectiveness of an attack. Fol- 
lowing the approach used in we do this by means of a four-tuple which spec- 
ifies the size of the resources needed by the attacker. For each attack we specify 
the tuple [a, b, c, d\ where a denotes the number of off-line block cipher encipher- 
ments (or decipherments), b denotes the number of known data string/MAC 
pairs, c denotes the number of chosen data string/MAC pairs, and d denotes 
the number of on-line MAC verifications. The reason for distinguishing between 
the numbers c and d is that, in some environments, it may be easier for the at- 
tacker to obtain MAC verifications (i.e. to submit a data string/MAC pair and 
receive an answer indicating whether or not the MAC is valid) than to obtain 
the genuine MAC value for a chosen message. 

3 Simple MAC Forgeries 

We start by considering three ‘simple’ types of MAC forgery. All these forgery 
attacks apply regardless of the MAC algorithm in use. 

— MAC guessing. The attacker selects a message and simply guesses the correct 
MAC value. The probability that the guess will be correct is 2“™. Such 
attacks can be avoided by making m sufficiently large. 

— Verification forgery. This is a simple development of the ‘MAC guessing’ 
technique. The attacker chooses a message, and then works through all pos- 
sible MACs, submitting the chosen message combined with each MAC value 
for verification. This attack has complexity [0, 0, 0, 2"*]. Thus, even if an at- 
tacker only has access to a MAC verification function, selective verifiable 
forgeries are possible unless m is sufficiently large. 

— Trailing zeros forgery. The third attack only applies when Padding Method 
1 from P is in use. The attack works because of the observation that, if a 
padded message has final block Dg and the last ‘1’ bit appears at position i 
(out of n) in Dg, then there are n+1 — i (unpadded) messages which, when 
padded, give the padded message. This means that, unless a message contains 
a multiple of n bits and ends in a ‘1’ bit, given any message and MAC it 
is possible to discover other messages with the same MAC by deleting zeros 
from, or adding zeros to, the end of the message. 
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The same general type of attack would apply to any scheme using a padding 
method where the mapping from messages to padded messages is not injec- 
tive. Fortunately, Padding Methods 2 and 3 do not suffer from this problem 
— indeed, the main motivation for the design of Padding Method 2 was to 
avoid this problem. 



4 More Sophisticated Forgeries 

We now consider further attacks which apply only to particular variants of the 
CBC-MAC. 

4.1 Simple Cut and Paste Attack 

Suppose the MAC function in use is the ‘original’ MAC scheme, i.e. ISO/IEC 
9797-1 MAC algorithm 1. Then, given two messages with valid MACs (computed 
using the same secret key K), we can compute a third ‘composite’ message with 
a valid MAC without knowing the key. For further details see, for example, P 



4.2 Birthday Attack 

For this attack we suppose that Padding Method 3 is not being used. We also sup- 
pose that no truncation is employed, i.e. so that m = n. Suppose, by some means, 
an attacker discovers two messages with the same MAC. That is, suppose the at- 
tacker has found that the two messages with padded data strings Di, D 2 , . . . ,Dg 
and El, E 2 , ■ ■ ■ , Er have the same MAC. Then it follows immediately that any 
pair of padded messages that have the form Di, D 2 , ■ ■ ■ , Dq, Xi, X 2 , ■ ■ . , Xt and 
El, E 2 , ■ ■ ■ , Er, Xi, X 2 , . . . ,Xt will also have the same MAC, regardless of the 
choice of Ai, A 2 , . . . , Xt. 

By elementary probability theory relating to the so called ‘Birthday Paradox’ 
(see, for example, Pj), given a set of 2"/^ messages there is a good chance that 
two of them will have the same MAC. Thus, to find such a collision requires 
only approximately 2"’/^ known message/MAC pairs. Armed with such a pair, 
the attacker now needs only persuade the user to generate a MAC on one more 
message to obtain a MAC forgery. Thus the total complexity of this attack is 
[0,2"/2,l,0]. 

Finally note that this attack applies to all of ISO/IEC MAC algorithms 1-4, 
as long as Padding Method 3 is not used. Unfortunately, Padding Method 3 
does not prevent another, slightly more sophisticated, forgery attack, described 
immediately below. 



4.3 Van Oorschot-Preneel Attack 

This attack is based on an observation of Preneel and van Oorschot, also inde- 
pendently made by Kaliski and Robshaw, which is summarised as Lemma 1 in 
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0. The attack relies on finding an ‘internal collision’ for a pair of padded mes- 
sages. That is, suppose Di, D2, ■ ■ ■ , Dq and Ei, E2, ■ ■ ■ ,Er are two sequences of 
n-bit blocks obtained as a result of applying the padding and splitting processes 
to a pair of messages D and E. Suppose also that the chaining variables for the 
MAC computations for D and E are iJi, (1 < i < q), and Ji, (1 < i < r), 
respectively. Then an internal collision is where: 

Hs = Jt 

for some pair (s, t), where s < q and t < r. 

Given knowledge of an internal collision (by some means), the attacker im- 
mediately knows that the padded messages 



D\,D2, ■ 


■ ■ , Ds,Ei,F2, . 


F 

' • 1 ^ u 


El, E 2 , ■ 


■ ■ ,Et, Fi,F2, . . 


F 

•’ 1 u 



will have the same MAC, regardless of Ei, F 2 , ■ . . , Eu- That is, given a known 
internal collision, a forgery requires only one chosen MAC. Note that, if Padding 
method 3 is used, then the above attack will work if and only if the values s, t 
and u satisfy u = q — s = r — t. 

The problem remains of finding the internal collision. If Padding Method 3 
is not in use then the attack works if we set s = q and t = r and look for 
MAC collisions amongst a large set of messages, i.e. the attack is the same as 
the Birthday Attack (see Section ^21). However, when Padding Method 3 is in 
use, finding a ‘useful’ internal collision, i.e. one for which s < q, is a little more 
difficult albeit not impossible, as we now describe. 

Suppose, that the attacker obtains the MAGs for a set of 2"’/^ messages, all of 
which agree in their final u n-bit blocks for some u > 0. As before, suppose also 
that m = n. Then, there is a good chance that two of these messages will have 
the same MAC. Since these two messages have their final u blocks the same, 
then we know that there will be an internal collision. 

Specifically, suppose we know that the MACs for the sequences of blocks 
Z?i, D 2 -, . . . , Dq and Ei^ E 2 , ■ ■ ■ , E^ are the same, and suppose we also have Di = 
Ei^r-q for q — u + 1 < i < q. If Hi and Ji denote chaining variables (as above), 
then we must have Hg = Jt where s = q — u and t = r — u. 

If we regard the set of 2"/^ messages as chosen texts, then the attack has 
complexity [0,0,2"’/^,0], which, although large, is still more effective than the 
‘simple’ MAC forgeries. However, it may be easier than this to obtain the desired 
MACs, bearing in mind that many messages are highly formatted. Thus it may be 
true ‘by accident’ that large numbers of messages for which a MAC is computed 
all end in the same way. If this is the case then the attack complexity might more 
reasonably be described as [0,2"/^, 1,0], i.e. the same as the Birthday forgery 
attack. 

In any event it should be clear that Padding Method 3 does not protect 
against forgery attacks using internal or external collisions. This point is also 
made in Section HI.B of |^. Thus, to prevent such attacks, further countermea- 
sures are needed. This is the subject of the remainder of this paper. 
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5 Countermeasures 

Over the past few years a number of countermeasures to various forgery attacks 
have been proposed. Of course, there are certain forgery attacks which cannot 
be avoided, and serve as a baseline against which other attacks can be measured. 
We now review some of the proposed countermeasures. 

— Truncation. Perhaps the most obvious countermeasure to the attacks de- 
scribed in Sections lO and lO is to choose the MAC length m such that 
m < n, i.e. to truncate the MAC. However, Knudsen, |^, has shown that, 
even when truncation is employed, the same attacks can still be made at 
the cost of a modest amount of additional effort. Moreover, if m is made 
smaller, then the MAC guessing and Verification forgery attacks (described 
in Section OD become easier to mount. 

— Padding Methods 2 and 3. Padding Method 2 was introduced specifically to 
deal with the Trailing zeros forgery (see Section EJ . Padding Method 3 was 
introduced to counter certain key recovery attacks, and was also originally 
believed to counter Birthday forgeries (for further details see jHI). However, 
as we have seen, neither Padding Method is able, on its own, to prevent the 
attack described in Section Ol 

— Serial numbers. A further countermeasure is briefly described in The idea 
is to prepend a unique serial number to data prior to computing a MAC. 
That is, every time a MAC is generated, the data to be MACed is prepended 
with a number which has never previously been used for this purpose (within 
the lifetime of the key). 

Although it is not stated explicitly in P, it would seem that it is intended 
that the serial number should be prepended to the message prior to padding. 
Note also that it will be necessary to send the serial number with the message, 
so that the intended recipient can use it to help recompute the MAC (as is 
necessary to verify it). 

It is fairly simple to see why this approach foils the attacks of Sections 14.21 
and lOl Both attacks require the forger to obtain the MAC for a chosen data 
string. However, because of the insertion of a serial number, the attacker is 
now no longer in a position to choose the data string. Thus it was believed 
that this countermeasure was effective against the non-trivial forgery attacks. 
However, as we will show below, serial numbers do not protect against ‘short- 
cut’ forgery attacks, even when combined with Padding Method 3. It is be- 
lieved that this is the first time a forgery attack more efficient than the verifi- 
cation attack has been demonstrated against the serial number enhancement 
to CBC-MACs. 

6 A New Forgery Attack 

We now describe a new type of forgery attack. To simplify the presentation we 
start by describing the attack as applied to MAC algorithms 1, 2 or 3 with 
Padding Method 1 or 2 and no Serial Number prefix. Later we consider the 
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scenario where Serial Numbers are used and lastly we consider the implications 
of this attack in the case where both Padding Method 3 and Serial Numbers are 
used. 

6.1 The Basic Attack 

We first consider the case where one of MAC algorithms 1, 2 or 3 is used together 
with Padding Method 1 or 2 and where the data is not prefixed with a Serial 
Number. As previously, we consider the case where there is no truncation and 
the size of the chaining variable is equal to the size of the final output, this com- 
mon value being denoted by n. Assume that the attacker somehow obtains the 
corresponding MACs for approximately 2"/^ (padded) {r + q+ l)-block messages 
E[,E' 2 , . . . , if' , X, Fi, F 2 , . . . ,Er where E[,E' 2 , ■ ■ ■ ,E'^ are arbitrary n-bit blocks, 
El, E 2 , . ■ . , Fr are arbitrary but fixed n-bit blocks, and X is an n-bit block that is 
different for each message. The attacker also obtains the corresponding MACs for 
approximately 2"/^ padded (r -|- l)-block messages of the form Y, Fi, F 2 , . . . , Fr, 
with the same fixed blocks F^, 1 < i < r, and a different n-bit block Y for each 
message. 

Using an extension to the Birthday Paradox, |7I8| , given the number of MACs 
obtained there is a high probability that a MAC from the set of {r + q+ l)-block 
messages is equal to a MAC from the set of (r -|- l)-block messages. In other 
words, MAC{Ei,E 2 , . . . , F„ Aq, Fi, F 2 , . . . , F,) = MAC{Yo, Fi, F 2 , . . . , F,) for 
some particular known values of E\, . . . , Eq, Xq and Yq . Since the n-bit blocks 
F\, ... ,Fr are the same for the two messages, it is an immediate consequence that 
MAC* {El, E 2 , . . . , Eq, Xq) = MAC*{Yq), where MAC*{Z) denotes the compu- 
tation of the MAC on the message Z without the Output Transformation. This 
final relation is equivalent to 

MAC*{Ei,E 2, ...,Eq) = Xo® Yq. 

As a result of this, if the attacker knows that the MAC for some (padded) 
message Z, Fi, F 2 , . . . , F* (t > 1) is equal to M, then the attacker knows that the 
MAC for the message Fi, F 2 , . . . , Eq, Xq (BYq(B Z, Pi, P 2 , . . . , Pt is also equal to 
M. This means that the complexity of this MAC forgery attack on a MAC algo- 
rithm with an n-bit output with no truncation is approximately [0, 1, 2"/^+^, 0]. 
In the case of DES with no truncation, this is a forgery attack of complexity 

[0,1,233,0]. 

6.2 A Forgery Attack for the Serial Number Case 

Now consider the case where Serial Numbers are used with MAC algorithm 1, 2 or 
3 and Padding Method 1 or 2. Note that serial numbers are meant to be prefixed 
to the messages to be MACed, that is, if Pi, P 2 , . . . , Pt is a padded t-block 
message, then the MAC is calculated on the (t-l-l)-block message S, Fi, F 2 , . . . ,Pt 
where S is the serial number associated with the message. With this observation 
we point out that the above attack described for MAC algorithms not using 
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Serial Numbers works unchanged for MAC algorithms using Serial Numbers. 
Only the interpretation of the first block of the various chosen texts used in the 
attack is different. 

Note that for the {r + q+ l)-block messages E[, E'2, ■ ■ ■ , X, Fi, F2, . . . , Fr 
described above, the A'’s, 1 < i < q were arbitrary and not necessarily fixed. 
In the case of use of serial numbers, an attacker could submit (r + <7)-block 
messages E[,E'2 , . . . , A'_^, A, Fi, F2, . . . , to be MACed. The MAC algorithm 
returns the MAC for the string S[, E[, E'2, . . . , F'_^, A, Fi, F2, . . . , F,. where S[ 
is the (unique) serial number selected by the MAC algorithm for the particular 
message. For verification of the MAC, the value of 5 ^ has to be transmitted 
with the MAC of the message — if S[ is encrypted then this attack will not 
work. Hence the attacker is assumed to know the value of for each of the 2 "/^ 
(r+g)-block messages F(, F(,, . . . , E^_i,X, Fi, F2, . . . , F^. Similarly, the attacker 
can submit the r-block message Fi, F2, . . . , Fr 2"/^ times, each time obtaining a 
(different) MAC for the string S2, Fi, F2, . . . , Fr, for a known but different serial 
number 

As above, there is a non-trivial probability that an (r + g)-block message of 
the first type and one of the r-block submissions of the second type yield the 
same MAC, that is. 



MAC(5i,Fi,F2, 



■ , Fq_i, Ao, Fi, F2, . . . , Fr) 



MAC{S2,Fi,F2,...,Fr), 



for some known particular values of Si, S2, E\, . . . , Eq-i and Aq. This means 
that MAC* {Si, El, E2, ■ ■ ■ ,Fg_i, Aq) = MAC*{S2) and therefore 

MAC*{Si,Ei,E2,...,Eq_i)=Xo(BS2. 

If the attacker knows that the MAC for a padded message Pi,. .. ,Pt {t > I) 
using serial number S3 is equal to M, he also knows that the MAC for the padded 
message Fi, F2, . . . , Fg_i, Aq 0 F2 © F3, Fi, F2, . . . , F* using serial number Fi is 
also equal to M. The complexity of this MAC forgery attack is the same as 
before, i.e. [ 0 , 1 , 2 "/^+^, 0 ]. The constructed block Aq © ^2 © S3 is the reason why 
the attack does not work if the serial numbers are not in the clear, since in this 
case the attacker does not know S2 and S3. 



6.3 Combining Serial Numbers with Padding Method 3 

The attack can be generalised to cover the case where Padding Method 3 and 
Serial Numbers are used in combination; there are two ways to combine these 
two features, and we describe attacks for both combinations. 

Firstly, suppose they are combined as implied in jH, i.e. the serial number is 
prefixed before the message is padded, i.e. the length of the unpadded message 
is prefixed to the padded and serial numbered message. The attacker submits 
the r-block message Fi, F2 , . . . ,Fr 2"/^ times, each time obtaining a (different) 
MAC for the string L2, S'2, Fi, F2, . ■ . , Fr, for a varying serial number S'2- Note 
that L2 is the ‘length-encoding block’ for the message (it will be the same every 
time), as inserted by Padding Method 3 . 
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The attacker also sends 2 ”/^ messages E[,E'2, T2, X, Fi, E2, . . . , Fr 
to be MACed, where L2 is as above and X is different for each message. MACs 
are computed for strings Li, E[, E'2, . . . , A'_2, L2,X,Fi,F2, . . . ,Fr where S*! 
is the varying serial number, and Li is the length encoding block. As before we 
suppose that the attacker knows the values of and S'2 for each of the messages. 

There is a good chance that an r-block message of the first type and an 
r + (7-block message of the second type yield the same MAC, that is, 

MAC(Li ,Si,Ei,E2,..., A,_2, L2,Xo,Fi,F2,...,Fr) = MAC{L2,S2,Fi,F2, ...,Fr), 

for some particular values of Si, S2, Ei, E2, . . . , Eq-2 and Xq. This means that 
MAC* {Li, Si, El, E2, . . . , Eq-2, L2 ,Xo) = MAC* {L2, S2) and therefore 

MAC*{Li,Si,Ei,E2, . . .,Eq_2,L2) = €k{L2) © Aq 0 ^2. 

So if an attacker knows the MAC for padded message {L2, S3, Pi, P2, . . . , Pr) 
is equal to M, (where S3 is any serial number), he knows that the MAC for the 
padded message Li,Si,Ei,E2, .. ., A,_2, T2, Aq © S'2 © S3, Pi, P2, . . . ,Pr is also 
equal to M. The complexity of this MAC forgery attack is the same as before, 
i.e. [0,l,2”/2+i,0]. 

Secondly we consider the alternative way of combining serial numbers with 
Padding Method 3 , i.e. where we first pad the message, then prefix the length of 
the unpadded message, and finally prefix the resulting string with the selected 
serial number. That is, for a (padded) message Pi, P2, . . . , Pt, the MAC algorithm 
is applied to the string S, L, Pi, P2, ■ . ■ ,Pt, where S is the serial number block 
and L is the length block of the unpadded message. We describe yet another 
attack variant for this case. 

Briefly, the attacker submits 2 "/^ (r + (7)-block padded messages of the form 
Ei,E 2, . . . , Eq-2, X,L2 ,Fi,F2, . . . , Pr where Pi, P2, . . . , Pq-2 are arbitrary n- 
bit blocks, El, F2, . . . , Fr are arbitrary but fixed n-bit blocks, P2 is an u-bit 
block representing the length of the unpadded string Fi, F2, . . . , Fr (as required 
by Padding Method 3 ), and A is an n-bit block that is different for each message. 
The attacker obtains the corresponding MACs and the particular serial number 

used with each message. The attacker also submits the r-block padded string 
Fi, F2, . . . , Fr 2 "/^ times for MACing, obtaining the corresponding MACs and 
the different serial number S'2 used for each MAC obtained. There is a non-trivial 
probability that a MAC for one of the (r + (7)-block messages is equal to a MAC 
for the r-block message for some serial numbers Si and S'2, that is. 



MAC{Si,Li,Ei, 



, P9-2 



An , P2 , Pi 



,Fr) = MAC{S 2 ,L 2 ,Fi,...,Fr). 



This means that MAC* {Si, Li, Ei, E2, . . . , Pq-2) = Aq © S2. 

Suppose also that the attacker knows that the MAC for an r-block mes- 
sage Pi, P2, . . . , Pr, with unpadded length equal to P2 and serial number S3, 
is equal to M. Then he knows that the MAC for the (r + (7)-block message 
Pi, P2, . . . , P5-2, Aq © S2 © S3, L2, Pi,P2, . . . ,Pr of unpadded length Pi and 
with serial number Si is also equal to M, or 
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MAC{Si,LuEuE 2 , . . .,Eg_ 2 ,Xo 0 ^2 © S3,L2,Pl,P2, ...,Pr) = 

MAC{S3,L2,Pl,P2,...,Pr). 

Note that the complexity of the attack is as before, i.e. it is [0, 1, 2"/^+^, 0]. 

6.4 Implications 

The published version of ISO/IEC 9797-1, P, indicates that forgery attacks can 
be avoided by using a combination of Padding Method 3 and Serial Numbers. 
However, the attacks described in Section 1^?^ cast serious doubt on the value of 
serial numbers as a remedy to forgery attacks even when combined with Padding 
Method 3. 

7 Summary and Conclusions 

In this paper we have surveyed some forgery attacks to which MAC algorithms 
may be subjected, including new attacks which can defeat some proposed coun- 
termeasures not successfully attacked before. In particular we have shown that 
combining Padding Method 3 and Serial Numbers is not as effective as was 
previously believed in defeating ‘shortcut’ forgery attacks. 

Of course, in practice, other security features may prevent some or all of the 
described attacks from being a real threat. For example, in certain banking envi- 
ronments the security deployed in the access to a MAC algorithm is such that it 
is extremely difficult for an unauthorised user to obtain the MAC corresponding 
to even one chosen text, let alone several. Also, if the MAC scheme is used in 
such a way that no key is used to compute more than a small number of MACs 
then certain attacks become impossible. 

The use of Padding Method 1 is not automatically excluded because of the 
attack described in section 3. It is possible that in certain environments messages 
are highly formatted to the extent that the length of a message to be MACed 
is fixed or known from the context, and therefore a trailing zeroes forgery is not 
applicable. 

In general it is important for users to carefully assess the significance of the 
various MAC attacks in the context of the environment in which the resulting 
MAC algorithm is to be used. There may be no benefit from using certain so- 
phisticated MAC systems in an environment which has other security features 
in operation which make attacks against simpler MAC schemes impossible to 
carry out. On the other hand, care should be taken not to assume that a MAC 
which is secure in a certain environment is automatically secure in others. For 
example, a 32-bit MAC which may be safely used in a banking environment 
without any serious threat from a verification forgery, is possibly not safe if used 
on the Internet or any other environment where large numbers of verifications 
may be obtained in a short time. 

The introduction and use of the AFS algorithm |2j, with a minimum 128- 
bit cipher block length, as the encryption function to be used in block-cipher 
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based MACs means that all the attacks described here would become practically 
infeasible. However, this may not be the case if heavy truncation is used since, 
in this case, some of the attacks described in section 3 may still be possible. 

In this paper we concentrated on block-cipher based MAC algorithms as 
described in Q. It is possible that generalisations of the attacks described here 
may be also applicable to other (dedicated, hash function-based or proprietary) 
MAC algorithms which are based on iterated functions. Note that all practical 
MAC algorithms are iterated in construction. 
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Abstract. At ACISP 2000, Yoo et al proposed a fast public key cryp- 
tosystem using matrices over a ring. The authors claim that the security 
of their system is based on the RSA problem. In this paper we present a 
heuristic attack that enables us to recover the private key from the pub- 
lic key. In particular, we show that breaking the system can be reduced 
to finding a short vector in a lattice which can be achieved using the 
L®-lattice reduction algorithm. 



Key words: public key cryptography, cryptanalysis, L^-algorithm 



1 Introduction 

Most practical public key schemes are very slow compared to symmetric key 
schemes. This motivates extensive research for faster public key schemes. Several 
lattice-based systems such as D. 121 are among these schemes. Both of these 
schemes, which are based on the closest vector problem and the shortest vector 
problem are broken using the lattice reduction algorithm. In fact, the 

algorithm was successfully used to attack many similar public key systems 
0. Yoo et al PH proposed a fast public key cryptosystem similar to the system 
proposed in 0. However, they claim that since the security of their scheme is 
based on the RSA problem and not the lattice problems, their scheme is secure 
against these lattice basis reduction attacks. In this paper we show that breaking 
this system is equivalent to the problem of finding a short vector in a lattice 
which can be solved using the L^-lattice reduction algorithm In particular, 
our heuristic attack enables us to recover the private key from the public key 
and hence represent a total break for the proposed system. 

The paper is organized as follows. In section 2 we give a description for the 
system proposed in PH. In section 3, we describe our attack. Finally we give 
a numerical example using the same parameters of the encryption-decryption 
example in PH. 



V. Varadharajan and Y. Mu (Eds.): ACISP 2001, LNCS 2119, pp. 15-^3 2001. 
(c) Springer-Verlag Berlin Heidelberg 2001 
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2 Description of the Proposed Scheme 

In this section we review the proposed public key scheme. Further details and 
justification for the bounds on the parameters can be found in HH. 

Let n be the dimension of a lattice. The basic steps to choose the parameters 
are as follows: 

1 Choose positive integers m,e,du, 1 < i < n, primes p,q and a matrix 
D G MatnC^) with the following conditions: 

1.1 N = pq. 

1.2 771, e : random integers such that rh « e « where m and e are 
upper bounds of messages and error vectors respectively. 

1.3 D : diagonal matrix such that m < \da\ < where du,l < i < n are 
diagonal entries of D. 

2 Choose an invertible matrix T = G Mat„(Z) such that < 

3 Form the matrices R = DT and B = BqUL mod N where Bq = R~^ mod q, 
L (respectively U) are uni-modular lower (respectively upper) triangular matrix 
whose all entries except the diagonal entries are multiples of q. 

B, e, 771 and N are public information. R, q and T are kept secret. 
Encryption: Let M = {mi, ■ ■ ■ , mn)* , 0 < mi < rh be a message vector and 
E = (ei, • • • e„)*, 0 < < e be an arbitrary error vector. Then the ciphertext is 

C = {BM + E) mod N. 

Decryption: At first compute X = (xi, • • • , x„)‘: 

Cq = C mod q, 

X = RCq mod q. 

Then mt = Xi(mod dii)i<i<n- 



3 Attacking the Scheme 

In this section we will present a heuristic attack that enables us to recover the 
private key from the public key. In particular, this attack enables us to factor N 
using the matrix B only. As mentioned in jl I) . once q is revealed, one can find 
Bq and D and the system is totally broken. Recall that 

R“^mod q= R. 

The following lemma follows by noting that for N = pq and for any integer a we 
have 

a mod q = {a mod N) mod q. 

Let V = B“^mod N. Then we have 
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Lemma 1. 



V mod q = {B ^ mod N) mod q = {B ^ mod q) = R. 

Let T^max denote jy It'zjj- Then from Section 3 in m we have 



max 



^ max 



< 



q — m 



ne 




Thus every element of the matrix V can be represented as 



— ^ij q ^ 



where 0 < Oy < p, fy < Tmax, ^<i,j<n. 

The basic steps in the attack are as follows: 

1. Calculate the matrix V = B~^ mod N. 

2. Pick an m, m < elements from the set {fy }{i<iy<n} • Let S = {sz}{i<i<m} 
denote the set formed from the elements above. 

3. Use the algorithm to find a reduced basis B for the (m + 1) -dimensional 
lattice L which is generated by the rows of the matrix 



4. For each row I = - , Im, Im+i) in B such that Im+i ^ N do the follow- 

ing: 

- Evaluate gcd{N, Im+i)- 

- If gcd{N, Im+i) 1, return p = gcd{N, Im+i)- 

5. Return (Failure). 

The following lemma is used to justify the success of the attack. 

Lemma 2. The vector 

x= {{aiN-psi),{a 2 N-ps 2 ), - ■ ■ ,{amN-pSm),p) = {-pSi, -p 62 , ■ ■ ■ , -pSm,p) 

is in L and has length less than approximately {^/m+ 1 pq^'"^)- 

Proof. The first part follows by noting that a: is a linear combination of the rows 
of L. The second part follows by noting that each of the elements Si can be 
represented as Si = atq + Si where Si < q^-’^. 

Note that our lattice has dimension (m-|-l) and volume N'^. From the lemma 
above, x is short compared to the (m -I- 1)*^ root of the volume of the lattice. 
Hence, there is a good possibility that the algorithm will produce a reduced 



TV 0 0 ••• 0 0 

0 N 0 ••• 0 0 



0 0 0 ••• 0 
— Si — S2 —S3 • • • —Sm 1 
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basis which include the vector x. If no solution exists then we can try another 
subset of elements {vij}. Our experimental results show that the algorithm 
finds p with high probability. 

Let {6i, & 2 , • ■ ■ I bm+i} denote the basis of the lattice L above. Let C G K be 
such that < C for i = and \bi\ denote the length of the basis 

bi. From the number of arithmetic operations needed by the algorithm is 
0((m + lYlogC), on integers of size 0((m + l)logC). 

Remark 1. The lattice used in step 3 is the standard lattice used in the Simul- 
taneous Diophantine Approximation (SDA) P|. I.e., our problem can also be 
formulated in terms of SDA. It was noted by Nguyen and Shparlinski ^ that 
this formulation leads to unconditional provable attack provided that p and q 
are much unbalanced {q > because we would have an unusually good SDA 

(See Fact 3.107 in P]). In fact, in this case, we can easily solve the problem using 
the continuous fraction approximation P| . It was also noted in Pj that while the 
attack in jSj can be applied to this cryptosystem, it is not an improvement of 
our attack and our attack is much simpler in this case. 



4 Numerical Example 



In order to illustrate the steps in our cryptanalysis, we will use the same nu- 
merical example given in El Let q = 10570841 and p = 10570837. Then 
N = 111742637163917. Let 



and 



Then 



612 0 0 0 
0 681 0 0 
0 0 697 0 ’ 

0 0 0 601 



5 2 3 7 
43 12 
47 13 
2 3 49 



3060 1224 1836 4284 
2724 2043 681 1362 
2788 4879 697 2091 
1202 1803 2404 5409 



Choose 

'1 -10570841 10570841 -1057084l‘ 

0 1 10570841 -10570841 

^ “ 0 0 1 10570841 ’ 

0 0 0 1 
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1 0 0 0 

10570841 1 0 0 

10570841 -10570841 1 0 ' 

-10570841 10570841 10570841 1 

Then we have 

■ 85902782524529 7783949494261 108645955098741 62082137341722' 
37207086894442 97811933363455 31492859166426 47829503460547 
^ “ 43940929239657 99629428908384 64015171957907 95852228892018 

100737337377789 6871742549039 58298211039553 15913440226477 

Since B and N are public information, we can calculate 

V = B-^mod N = 

'72960716256453 4761772750607 4781950370867464505037116731' 
18354764339802 34264334590284 25746128923461 46666277809305 
28770435964827 105706232411633 39730135919762 9119580812042 
89276407646137 79398453561765 94718657144415 99534468035995 

Then we arbitrarily select the set 



S = {wil,Ui2,-Cl3,fl4} = 



{72960716256453, 4761772750607, 47819503708674, 64505037116731}. 

Using the algorithm (See algorithm 3.101 in H. uni), the basis to be reduced 
is: 



111742637163917 0 0 00 

0 111742637163917 0 00 

0 0 111742637163917 0 0 

000 111742637163917 0 

-72960716256453 -4761772750607 -47819503708674-64505037116731 1 



The L^-reduced basis is: 

'-32346761220 -12938704488 -19408056732 -45285465708 10570837 ' 

-87078711029 39709857984 7883945327 11690435622 4385339758 

-12420733475 -4968293390 -7452440085 -17389026865182590067501 . 

-102740951106-253999460687 146924464771 79909317394 26579009212 

1917450399 -58848334744 -420915726704 231779925047 78377734153 

Hence we get p = 10570837. Once p is revealed we calculate q = N/p. Then we 
get R = V~^ mod q. After this we calculate da = gcd{rn,ri 2 , ■ ■ ■ Tin), 1 < i < n. 

It is worth noting that it only took us 91, 520 and 4802 seconds to break 
the algorithm for the size of = 256, 512 and 1024 bits respectively. We set 
m = 10 through step 2 of the attack. We performed our experiments with Maple 
V Release 5.1 running on a SUN ULTRA-80 workstation. 
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Abstract. We propose a new attack on the self-shrinking generator 0. 
The attack is based on a backtracking algorithm and will reconstruct 
the key from a short sequence of known keystream bits. We give both 
mathematical and empirical evidence for the effectiveness of this attack. 
The algorithm takes at most 0(2°'®®'^^) steps, where L is the key length. 
Thus, our attack is more efficient than previously known key reconstruc- 
tion algorithms against the self-shrinking generator that operate on short 
keystream sequences. 



1 Introduction 

The self-shrinking generator 0 is a keystream generator for the use as a stream 
cipher. It is based on the shrinking principle and has remarkably low hardware 
requirements. So far, it has shown considerable resistance against cryptanalysis. 

In cryptanalysis of a keystream generator, the attacker is assumed to know 
a segment of the keystream. The system is considered broken if the attacker can 
predict the subsequent bits of the keystream with success probability higher than 
pure guessing. One way to achieve this goal is to reconstruct the initial state of 
the generator, which allows prediction of the remaining keystream sequence with 
probability 1. 

In this paper, we propose a new attack against the self-shrinking generator. It 
reconstructs the initial state of the generator from a short keystream sequence, 
requiring 0(2° ®®"'^) computational steps. The fastest attack previously known 
that operates on a short keystream sequence 0 requires 0(2® ’^^^) steps. The 
only attack that has the potential to achieve a better running time 0 needs a 
much longer keystream sequence. 

The paper is organised as follows: In section |21 we give an introduction to 
both the shrinking and the self-shrinking generator, the former providing the 
working principle for the latter. Section |3 surveys some of the previous work on 
cryptanalysis of the self-shrinking generator. 

Sections EE describe our attack and its properties. After giving a description 
of the algorithm in section ^ we prove the running time to be upper bounded 
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** Supported by DFG grant Kr 1521/3-1 
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by 0(2°-®®'*^) steps in sectional Section 0 provides some supplementary experi- 
mental results. 

We conclude in section 0 by giving some design recommendations that help 
in strengthening a self-shrinking generator against our attack. 



2 Description of the Cipher 

2.1 The Shrinking Generator 

In 0 El , Coppersmith, Krawczyk and Mansour introduced a new pseudorandom 
keystream generator called the shrinking generator. It consists of two linear 
feedback shift registers (LFSR) A and S', Q generating the m-sequences (ai)i>o 
(denoted as A-sequence) and (si)i>o (denoted as S-sequence), respectively. The 
keystream sequence (zj)j>o is constructed from these two sequences according 
to the following selection rule: For every clock i, consider the selection bit Si. If 
Si = I, output Oi. Otherwise, discard both Si and Oi. 

This way, a nonlinear keystream is generated. Even a cryptanalyst who knows 
part of the keystream sequence can not tell easily which zj corresponds to which 
Oi, since the length of the gaps (i.e., the number of Ui that have been discarded) 
is unknown. 

In Pj , the shrinking generator is shown to have good algebraic and statistical 
properties. For a generalisation of some of these results, refer to Pg. Also in |2|, 
a number of algebraic attacks that reconstruct the initial state of A and S are 
given. Note that all of them require exponential running time in the length [S'! 
of LFSR S. 

A probabilistic correlation attack against the shrinking generator is discussed 
in ^ . The authors give both mathematical and empirical treatment of the 

necessary computation. The resulting attack reconstructs the initial state of A, 
requiring an exponential running time in the length |A| of LFSR A. Note that 
in order to reconstruct the initial state of S, another search is required. 

As a consequence, a shrinking generator with \A\ « jS"! still remains to be 
broken by an algorithm that is significantly more effective than the one presented 
in PI (for a description, see section 14.11 . 

2.2 The Self-Shrinking Generator 

The self-shrinking generator is a modified version of the shrinking generator 
and was first presented by Meier and Staffelbach in |S|. 

The self-shrinking generator requires only one LFSR A, whose length will 
be denoted by L. The LFSR generates an m-sequence (ai)i>o in the usual way. 
The selection rule is the same as for the shrinking generator, using the even 
bits oo, 02 , . . . as S-Bits and the odd bits oi, 03 , . . . as A-Bits in the above sense. 

^ The shrinking principle can be applied to any two binary symmetric sources; it is not 
restricted to LFSR. All of the algebraic results on the shrinking generator, however, 
are based on the assumption that LFSR are used as building blocks. 
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Shrinking Generator 



Self-Shrinking Generator 




Fig. 1. The Shrinking Generators 



Thus, the self-shrinking rule requires a tuple (a 2 i,a 2 i+i) as input and outputs 
Q2i-i-i iff = 1- 

The close relationship between shrinking and self-shrinking generator is shown 
in figure Q In |2| , an algorithm is given that transforms an L-bit self-shrinking 
generator into a 2L-bit shrinking generator. It is also shown that a shrinking gen- 
erator with register lengths | and [S'! has an equivalent self-shrinking generator 
of length L = 2 ■ (|A| -|- |5'|). Notwithstanding this similarity, the self-shrinking 
generator has shown even more resistance to cryptanalysis than the shrinking 
generator. The next section gives a short description of the most efficient key 
reconstruction attacks that have been proposed in recent years. 



3 Previous Work on Cryptanalysis 

First, note that the attacks that have been proposed against the shrinking gener- 
ator can not be transferred to its self-shrinking counterpart. The shrinking gen- 
erator is best broken by attacking either LFSR A or S, thus effectively halving 
the key length. The self-shrinking generator, however, has molded both registers 
into an inseparable unit, namely a single LFSR. For this reason, “separation 
attacks” can not be employed without major modifications. 



3.1 Period and Linear Complexity 

The period 77 of a keystream sequence generated by a self-shrinking generator 
was proven to be 2'A!'^\ < 77 < 2^“^ in jHj. Experimental data seems to indicate 
that the period always takes the maximum possible value for L > 3. 

It was also shown that the linear complexity C is always greater than 77/2. 
On the other hand, C was proven in P to be at most 2^ ^ — (L — 2). If 77 = 2^ 
we have C G 0{2^~^). 

As a consequence, a LFSR with length equal to C can be constructed from 
about 2^ keystream bits in 0(2^^“^) computational steps, using the Berlekamp- 
Massey algorithm [Z|. For realistic generator sizes of L > 100, this attack is thus 
computationally unfeasible. 
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3.2 Attacks Using Short Keystream Sequences 

Even if the feedback logic of the LFSR is not known, there is a simple way 
of reducing the key space |^. Consider the first two bits (ao,ai) of the LFSR 
(unknown) and the first bit zq of the keystream (known). Then there are only 
three out of four possible combinations (ao,ai) that are consistent with the 
keystream, since (oq, oi) = (1, zq) is an immediate contradiction. The same rule 
can be applied for the next bit pair ( 02 , 03 ), and so on. Consequently, only 

gL/2 _ 2(ioff2(3)/2)-L _ 2 O. 79 L 

possible initial values for the LFSR A consistent with the keystream. 

The running time that is needed to search through the reduced key space can 
be further reduced on average by considering the likelihood of the keys. Note 
that the following holds: 



Pr[(ao,oi) = (0,0)|2o] =1/4 
Pr[(ao,oi) = (0,l)|zoj =1/4 
Pr[(oo,ai) = (l,zo)|2;o] = 1/2. 

Thus, the entropy of the bit pair is 

H = -(1/4) log(l/4) - (1/4) log(l/4) - (1/2) log(l/2) = 3/2. 

The total entropy of an initial state consisting of L/2 such pairs is thus 
At the same time, this is the effort for searching the key space if the crypt- 
analyst starts with the most probable keys. Surprisingly, this is still the most 
efficient reconstruction algorithm using short keystream sequences that has been 
published. 



3.3 Attack Using Long Keystream Sequences 

In P], Mihaljevic presented a faster attack that needs, however, a longer part of 
keystream sequence. Let the length of this known part be denoted by JV. Then 
the attacker assumes that an Tbit section of the keystream has been generated 
by the current inner state of the LFSR. Consequently, I out of the L/2 even bits 
of A must be equal to 1. The attacker guesses these bits and checks whether or 
not this guess can be correct, iterating over all Tbit sections of the keystream. It 
is shown that cryptanalysis is successful with high probability after 2 ^“* steps. 

Since this procedure only makes sense for L/A < I < L/2, the running time 
can vary from 2 °-®^ in the very best case to 2 °-^®^ under more unfavourable 
circumstances. The efficiency of the attack depends mainly on the number of 
keystream bits that are available, since the value I must be chosen such that the 
following inequality holds: 



N > C2^/2 . 



-1 
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value 1: 


0.25L 


0.306 


0.50L 


Time: 




2G.by4ij 


Oy.bLi 


Bits : 

L = 120 


28.19 


210.17 


265.91 


L = 160 


28.81 


211.37 


286.32 


L = 200 


29.30 


213.07 


2106.64 


L = 240 


29.69 


214.03 


2126.91 


L = 280 


210.02 


214.94 


2147.13 


L = 320 


210.31 


215.81 


2167.32 



Table 1. Number N of keystream bits required for Mihaljevic attack 



In order to get a feeling for the number of bits required for this attack, table [D 
gives some examples of required bitstream lengths for different register sizes L. 
The number of bits is given in logarithmic form in order to enhance readability. 
We concentrate on three cases: 

— In order to beat the best key reconstruction algorithm described above, we 

need I = 0.25L, yielding a running time of steps. 

— Improving the running time to (which is the performance of the 

algorithm to be presented in section^ requires I — 0.306L. 

— In order to achieve the best possible running time of 2®-^^ steps, we need 
I — 0.5L. Note that for realistic register lengths, the sheer amount of required 
data (namely, N > ^ ■ 2^/®) should make such an attack a mere theoretical 
possibility. 

4 The Backtracking Algorithm 

The goal of our cryptanalysis is the reconstruction of an inner state of the genera- 
tor that is consistent with the keystream. We assume thus that a short keystream 
sequence of length k, L bits is known to the attacker. 

We also assume that the feedback polynomial of the generator is known. Note 
that none of the attacks given in section [K| makes use of the feedback logic. It 
can be expected that the use of additional information should lead to a more 
efficient attack. 



4.1 Basic Idea: Attacking the Shrinking Generator 

First, consider cryptanalysis of the shrinking generator. If the feedback polyno- 
mials are known, an obvious way of reconstructing the inner states is as follows. 

1. Guess the inner state of the control register S. From this, we can determine 
as many bits of the S'-sequence as required. 

2. Knowing the S'-sequence and part of the keystream sequence, we can recon- 
struct single bits of the A-Sequence. 
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3. Each known bit of the A-sequence gives a linear equation. If we can find |A| 
linear independent equations, we can solve the system and thus reconstruct 
the inner state of register A. 

4. We run the shrinking generator, using the reconstructed inner states for 
A and S. If the keystream sequence thus generated matches the known 
keystream sequence in the first \A\ + [S'! + e positions (where e is a secu- 
rity margin), we have found with high probability the correct inner state. 

The running time of this attack (that was also presented in ^j) is obviously 
upper bounded by 0(|A|^ • since there are at most — 1 inner states of 
register S and the solving of a system of |A| linear equations takes at most 
steps. 

4.2 Applying the Idea to the Self-Shrinking Generator 

The principle of guessing only the S'-Bits and deriving the A-Bits by solving 
a system of linear equations can be applied to the self-shrinking generator as 
well. It is, however, not as straightforward as with the shrinking generator, since 
guessing all S'-Bits in the initial state (i.e., all even bits) will not enable the 
cryptanalyst to compute the rest of the S-sequence (unless the generator has a 
non-primitive characteristic polynomial). Thus, we will guess the even bits one 
at a time, using a backtracking approach similar to the procedure proposed by 
Golic in for cryptanalysis of the A5/1 stream cipher. 

Before we describe the details of the attack, we give the following property 
of the key (i.e. the initial state of the LFSrJ^: 

Proposition 1. For each key K = (oq, . . . , ul-i) with oq = 0, there exists an 
equivalent key K' = (og, . . . , a^_i) with Og = 1. 

Proof. Consider the sequence {ai)i>o generated by the inner state K. Suppose 
the first T’ on an even position appears in position 2k. Then clock the register 
by 2k steps, deriving the new inner state K' = (o 2 fc, . . . ,a 2 k+L-i)- Obviously, 
both inner states yield the same keystream sequence, since in transforming K 
to K', no output is generated. □ 

It is thus safe to assume that og = 1 and a\ = zq. This way, we will recon- 
struct a key that is not necessarily equal to the original key, but it is equivalent 
in a sense that it will create the same keystream sequence. 

From now on, we will have to guess the even bits of the sequence (oi)i>g. 
This way, we obtain two different types of equations as follows: 

— Every guess can be represented by a linear equation 02 i = h. These equations 
will be referred to as being of type 1. 

— If Q 2 i = 1, we obtain a second equation of the type 02^+1 = Zj, where 
j = J2c=o ® 2 c- These equations will be denoted as being of type 2. 

This approach will be implemented using a tree of guesses as shown in figure 0 

^ The same property also holds for the shrinking generator. In this context, it was 
discussed in m 
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Fig. 2. The Tree of Guesses 



As long as * < [L/2J — 1, the development of the tree is straightforward. 
We get exactly two new equations whenever we follow a T’ branch and exactly 
one new equation when following a ’0’ branch. All of these equations are lin- 
early independent, since no variable ak appears more than once. Thus, we get a 
complete binary tree with height [L/2\ — 1. 

After that point, however, the tree becomes irregular, since the indices of 
the new equations become larger than L — 1. Thus, the feedback recurrence 
must be used to convert the simple equations into a representation using only 
oo, . . . , ciL-i- Depending on the equations that are already known, there is an 
increasing probability that the new equations are linearly dependent of the ear- 
lier ones. That means they are either useless (in case they are consistent with 
the existing equation system) or lead to a contradiction. In the latter case, we 
have chosen a path in the tree that is not consistent with the known keystream 
sequence. We can thus ignore the current branch and start backtracking. 

If we find a branch that ultimately gives us L linearly independent equations, 
we can solve the equation system and derive a key candidate. This candidate is 
evaluated by running the self-shrinking generator with this initial value, generat- 
ing a candidate keystream of length L+e (where e is a small number of additional 
bits). We compare the candidate keystream with the known keystream segment. 
If they match, the key candidate is equivalent to the original key with high 
probability. 



5 Upper Bounding the Running Time 

In this section, we establish an asymptotical upper bound on the running time of 
our algorithm. For this purpose, we first give an upper bound Cl for the number 
of leaves in the tree of guesses (sections It). Ilt).;tll . Then, in section lt>.4l we derive 
an upper bound for the number Nl of nodes in the tree and conclude that the 
total running time of the algorithm can be upper bounded by 0(L^ ■ 2°-^^"^^). 
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5.1 Well-Formed vs. Malformed Trees 

Let Ti denote a tree of guesses such that £ linearly independent equations are 
still missing in the root to allow the solving of the equation system. Note that 
for the search tree given in section ^ we have £ = L — 2. 

In order to formally prove the maximum number Ce of leaves in Ti, we label 
the nodes as follows: Each node is labelled by the number of linearly independent 
equations still needed in order to solve the equation system. The root is thus 
labelled by £. For technical reasons, we allow a leaf of the tree to take both the 
labels 0 and —1, both meaning that the system is completely specified. 

Assumption 1 For the following average case analysis, we assume that an 
equation that is linearly dependent of its predecessors will lead to a contradiction 
with probability 1/2. 

This assumption is reasonable, since the bits 02 i and a 2 i+i are generated by 
an m-LFSR, meaning that a variable takes values 0 and 1 with (almost) equal 
probability. 

Now consider an arbitrary node V of depth i — 1, i > 1, and its two children, 
Vq and Vi (reached by guessing 02 i = 0 or 02 i = 1, resp.) Let V be labelled 
by j. The labelling of the child nodes depends on whether 02 i and/or 02 i+i are 
linearly dependent of the previous equations or not: 

A) Both are independent. In this case, no contradiction occurs. The left child is 
labelled j — 2 and the right child is labelled j — 1. 



B) 02 i is independent, 02 i+i is not. Both children are labelled j — 1. However, 
a contradiction occurs in Vi with probability of 1/2. 



C) tt 2 i is dependent, a 2 i+i is not. The left child is labelled j — 1, while the right 
child is labelled j. However, a contradiction occurs either in Vi or in Vq, with 
equal probability. 




Prob = 1 




Prob = 1/2 



Prob = 1/2 




Prob = 1/2 



Prob = 1/2 
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D) Both are dependent. In this case, both child nodes have the same label as the 
parent node. Due to the linear dependency of a 2 i there occurs a contradiction 
in either Vi or Vq, with equal probability. In addition, there is an additional 
probability of 1/2 that U 2 i+i leads to a contradiction in I^i. 







Prob = 1/4 



Prob = 1/2 



Prob = 1/4 



Definition 1. A well-formed tree Tf is a binary tree where only branchings 
of type A occur, i.e., for every node that is not a leaf, the following rule holds: 
If the label of the node is j, then the label of its left child is j — 2 and the label 
of its right child is j — 1. 

A malformed tree is an arbitrary tree of guesses that contains at least one 
branching of a type B, C or D. 

Essentially, the notion of a well-formed tree describes the tree of guesses un- 
der the assumption that all linear equations (of both type 1 and 2) are linearly 
independent. Note that such a tree is highly unlikely for large £. Nonetheless, 
the well-formed tree plays an important role in establishing the overall number 
of leaves for the tree of guesses. We proceed now to prove that on average, a 
malformed tree has at most the same number of leaves as a well- formed tree. 



Theorem 1. Let C/ denote the number of leaves of a well-formed tree Tf . Let 
Ci denote the maximum number of leaves in a tree Ti that may or may not be 
malformed. Then in the average case, Ci < C/ holds. 

Proof. The proof is by induction. Obviously, the inequality holds for C-i and 
Co, since trees T_i and Tq consist only of a root without a child. Thus, C_i = 
Cli = 1 and Co = Co* = 1. 

Now consider C^, £ > 1. First note that since the theorem holds for Ci-i and 
Ce- 2 , it follows that 



Q_1 + c,_2 < C|_1 + c;_2 = Ct . ( 1 ) 

Also note that even in the worst possible branching case, we have 

Ct<2-Ci-i. (2) 

for all £. Using these two facts, we can prove an upper bound for Ci by distin- 
guishing the following cases (identical to the ones given above): 

A) Let the tree Tf be composed of a subtree with at most Ci -2 leaves and a 
subtree with at most Ci-\ leaves. It follows for the maximum number Cf^ 
of such a tree that 



Ct < Ct-2 + Q-i < C|. 
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B) The tree Tf is composed of either one or two subtrees, having at most Ce-i 
leaves each. Consequently, Cf < 1/2 • Cg-i + Ct-\. Using (0, we have 

cf < Ce-2 + Q-i < c;. 

C) The tree Tf is composed of only one subtree with at most Q_i or Ci leaves, 
resp. (with equal probability). We have Cf < 1/2 • {Ce-i + Cf, and using 
(0, derive 

C? < \{2Ct-2 + 2Q_i) = Q_2 + Q_i < Cf 

D) The tree Tf has one of the forms given in case D. Then, for the average 
number Cf of leaves in this tree, we have Cf < | • Ct. Using (E) repeatedly, 
we get 

C? <\- Ce-i = Q_i + < Q_i + Q_2 < Cf 

Since C( = max{Cf, Cf,Cf, Cf), we have Ce < Cf □ 

5.2 Size of a Well-Formed Tree 

We have shown that the number Ci of leaves in an arbitrary tree of guesses is 
on average not bigger than the number C/ of leaves in a well- formed tree. In the 
next section, we will prove an estimate for C/ and thus an upper bound for C/. 

Theorem 2. Let C\ denote the size of a well-formed tree Tf Then we have 
a<^ < Cf < for all L>1, where a = « ^0.6942419^ 

Proof. Note that for all £ > —1, Cf satisfies the recursion Cf 2 ~ ^i+i + 
with Cfi = Cf = 1. 

Let a be the unique positive solution of = a: -I- 1, i.e. a = ■ In this case, 

the function F{i) = also satisfies the recursion F{£ + 2) = F{£ -|- 1) -k F{£) 
for all .^ > 0. Since Cq = F(0) and C\ = ^F(l), we have < Ct < for all 
£ > 0 . “ “ □ 

Note that - « 1.236068. Thus, we have found the upper bound of the average 
search tree to be Ci < ^ ■ 2°-S94^ ~ 2°-694^+0-306, 

5.3 Worst Case Considerations 

The above result can be applied directly to the tree of guesses in section El 
Remembering that such a search tree actually has a root labelled £ = L — 2, we 
can upper bound the average number of leaves by Cl < 

This upper bound seems to holds even for the worst case, provided that L 
is large enough. Remember that assumption [H stated that in case of a linearly 
dependent equation, contradiction occurs with probability 1/2. Now remember 
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from section I^T^ that linearly dependent equations do not occur before depth \_^\ 
is reached. This, in turn, means that for large L, there exists a large number 
of nodes labelled j for each j < L — \_^\ . We can thus apply the law of large 
numbers, stating that the actual number of contradictions is very close to the 
expected number of contradictions. Thus, the number of leaves should be close 
to the above bound not only for the average case, but for almost any tree of 
guesses. 

In order to give some more weight to this rather informal argument, we will 
provide some empirical evidence for this conjecture in section 

5.4 Running Time of the Algorithm 

The asymptotically most expensive single step of the backtracking algorithm 
presented in section 0 is the testing of the linear dependency of new equations. 
This operation in itself takes 0{L^) elementary steps and has to be repeated 
once or twice in each node of the tree of guesses. 

Thus, we have to establish an upper bound for the maximum number of 
nodes in the tree. Since the tree will be malformed, it contains nodes that have 
only one child. It is thus impossible to upper bound the number of nodes by 
2 • Cl — 1, as could be done for a proper binary tree. We can, however, prove 
that the maximum depth of the search tree is L — 1. 

Proposition 2. If the linear recurrent sequence (ai)i>o is of maximum length, 
then the tree has maximum height of L — 1.0 

Proof. In any node of depth i, we have exactly i + 1 equations of type 1 at our 
disposal (and a varying number of equations of type 2). Thus, at depth L — 1, 
we have exactly L such equations, namely oq, 02 , . . . , a 2 L- 2 - 
By a theorem on maximum length linear recurrent sequences (see e.g. 0,p.76), 
there exists a k such that the following holds: 

(ofe, Ofc+I, . . . , Ok+L-l) = (O05 0 , 2 ,. , 02L-2) 

Since Uk, ■ ■ ■ , au+L-i must be linearly independent, the same holds for oq, 02 , . . . , 
02 L- 2 - Consequently, we have L linearly independent equations of type 1 in any 
node of depth L—1, allowing us to solve the system and derive a key candidate. 
Thus, no node of the tree will have depth > L. □ 

We can use this fact to upper bound the number of nodes. Consider the 
largest binary tree (w.r.t. the number of nodes) with height L — 1 and Cl leaves. 
This tree is a complete binary tree from depth 0 to p = [log Cl J. From depth 
p -I- 1 to depth L — 1, the tree has constant width of Cl- 

® Note that this proposition only holds for maximum length sequences. The use of 
shorter sequences, however, would be a breach of elementary design principles, since 
it would facilitate a number of other attacks. It does not seem to increase resistance 
against our attack either, it just makes the proof harder. 
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Let Nl denote the number of nodes in a search tree. It follows that Nl is at 
most the size of this worst possible tree. 

-1) + {L-p-\)-Cl 

Note that both 2^+^ and Cl are in 0{Cl)- Ignoring all constant summands and 
factors to Cl, we obtain: 

Nl e 0{{L-p)-Cl) 

= 0(0.306L • 2°-694l-0.918) 

= O(0.162L • 

Remembering that in each node, a linear equation has to be inserted into an 
equation system, and ignoring constant factors again, we derive a total asymp- 
totic running time in 0{L‘^ ■ 2° ®®^^). 

6 Experimental Results 

6.1 Results on the Number of Leaves 

In the section El we have proven the number of leaves in the search tree to be 
upper bounded by 20 ^^"^^“° ^^® in the average case. This result leaves a number 
of interesting questions open: Since we have only derived an upper bound: How 
close is this value to the average number of leaves that do occur in an actual 
search7@ And what about the conjecture in section lh.3t Is Cl also an upper 
bound for the worst case, for large LI 

In order to answer those questions, the key reconstruction algorithm from 
section 0 has been implemented and tested against all keys and all primitive 
polynomials for L — 3, . . . , 16. The main results of this simulation are given in 
the left half of table 0. Here, Cavg and Cmax denote the average and maximum 
number of leaves encountered in the experiments. Cbound = 2° ®®^^“° ®^® denotes 
the upper bound as calculated in section El For ease of comparison, all values 
are given in logarithmical notation. 

First observe that values Cavg and Cmax are very close; they differ by a factor 
(j) with 1 < (p < 1.33. Of course, this may or may not hold for larger values of 
L, but for small L, the maximum number of leaves does not stray very far from 
the average. 

Also observe that for L > 8, Cbound seems to be a proper upper bound not 
only for the average case, but also for the maximum number of leaves in the 
search tree. Note especially that for L > 8, the gap between Cmax and Cbound 
seems to be widening with increasing L. Nonetheless, additional empirical or 
mathematical evidence for larger L might be necessary before our conjecture 
from section |j.3l can be considered confirmed. 

We must take care not to confuse the average case of the analysis with the average 
number of leaves in the search tree; they are quite different mathematical objects. 
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Number of leaves 


Number of nodes 


L 


Cavg 


Cmax 


Cbound 


^ avg 


^ max 


^ bound 


3 


^ruD— 


21.UU 


2’vre— 


21.58 


21.58 




4 


21.55 


21.58 


21.86 


22.57 


22.81 


22.15 


5 


22.29 


22.58 


22.55 


23.28 


23.46 


23.17 


6 


22.85 


23.17 


23.25 


24.21 


24.64 


24.12 


7 


28.58 


25.81 


23.94 




25.43 


25.04 


8 


24.23 


24.64 


24.63 


25.61 


25.93 


25.93 


9 


24.88 


25.29 


25.33 


26.35 


26.79 


26.79 


10 


25.53 


25.88 


26.02 


27.05 


27.55 


27.64 


11 




26.5/ 


2^172— 


2'-^ 






12 


26.87 


27.26 


27.41 


28.46 


28.89 


29.29 


13 


27.56 


27.92 


28.10 


29.16 


29.73 


2IO.IO 


14 


28.25 


28.56 


28. 80 


29.85 


2IO.2O 


2IO.9O 


15 


28y^ 


29.23 


2^^s— 


2J-U.56 


2^1. 


28 8.60 


16 


29.61 


29.90 


2IO.I9 


2II.25 


211.64 


212.48 



Table 2. Empirical Results 



6.2 Results on the Number of Nodes 

In the right half of the table, we give the results on the number of nodes. Again, 
Navg and N^ax denote the average and maximum values encountered in the 
experiments, while Nbound = 0.162L • denotes the mathematical bound 

as given in section OI 

It seems that for L > 7, Nf,ound is an upper bound for the number of nodes 
in the worst possible case. As with the results on the number of leaves, the gap 
between Nmax and Nbound seems to be widening with increasing L, but again, 
more data for larger L would be helpful. We also note that Navg and N^ound are 
very close to each other. 

An interesting side observation is that Navg ~ 2 • Cbound, i-e. that the average 
number of nodes appears to be almost exactly twice the mathematical upper 
bound for the number of leaves as derived in section 15.31 This is not apparent 
from the mathematical analysis in section 0 and may thus be an interesting 
starting point for future research. 



7 Design Recommendations 

The effective key size against our attack is less than 70% of the key length. 
For a register length of 120 bit, the backtracking attack runs in 0(2®^) steps 
and is probably not feasible in today’s practice. Our attack, however, is easily 
parallelised, allowing an adversary to use as many parallel processors at once 
as he can afford. Since each processor can operate on its own segment of the 
tree (without any need of communication with the other ones), k processors 
can reduce the running time by a factor of k. Thus, a generator using a shorter 
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register is in real danger of being compromised. We conclude that the minimum 
length of a self-shrinking generator should exceed 120 bit. 

Note that our attack relies on the feedback logic of the register to be known. 
If it is not, the attack has to be repeated for all primitive feedback polynomials 
of length L, yielding an additional working factor of </>(2^ — 1)/L. Security of 
the self-shrinking generator can thus be increased significantly by following the 
proposal given in BE]: Use a programmable feedback logic and make the 
actual feedback polynomial a part of the key. 

Finally, observe that the use of sparse feedback polynomials makes our attack 
slightly more effective. If the more significant bits depend on only a few of the less 
significant bits, the probability of linear dependent equations increases, yielding 
a tree of guesses that is more slender than the average case tree considered above. 
However, as stated in section E3 the sizes of worst case and best case trees seem 
to differ by less than the factor 2. Nonetheless, sparse feedback polynomials 
should be avoided in designing most stream ciphers, the self-shrinking generator 
being no exception. 

Acknowledgement We would like to thank one of the anonymous referees for a 
number of very helpful comments. 
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Abstract. We describe new attacks that can be launched on some well 
known signature schemes. The attacks are related to Lim and Lee’s key 
recovery attacks in prime order subgroups. Several new attacking scenar- 
ios are described where the group order can be either prime, composite, 
or unknown. These attacks are able to compromise certain properties of 
complex protocols such as identity revelation by the revocation manager 
in a group signature setting, or owner tracing in fair electronic cash. 
It is suggested that safe primes must be considered for use in all such 
protocols, together with a proof of safe parameter selection. 



1 Introduction 

Many cryptographic protocols operate in a subgroup of some larger group, gen- 
erally placing restrictions on the parameter selection of the larger group. In 
many cases group operations are performed within a prime order subgroup of a 
much larger group, whilst in others, operations occur in a group of composite 
modulus within a larger group. The most obvious primitive protocols that sat- 
isfy these characteristics include the Difhe-Hellman d, Schnorr [22 and other 
ElGamal-type protocols. 

These well known primitives serve as the basis for signature and encryption 
schemes; more complex schemes build upon these to provide additional proper- 
ties such as undeniablity m blindness HU, and group membership |0( . Further 
work has also given rise to complex protocols furnishing a variety of security 
related applications, including electronic cash jS| and election protocols HU- 

Many researchers have noted the usefulness of setting a protocol in a prime 
order subgroup of a larger group. In this paper it is shown that, unless the larger 
group takes on a specific form, then potential exists for protocol exposure. The 
special form we refer to is that the order of the large group should have no 
factors smaller than the order of the subgroup (with the possible exception of 
the factor 2 which often cannot be avoided). For example, in a subgroup of Z* 
of prime order q, (p — l)/2 should have no factors smaller than q. 

Lim and Lee P2j demonstrated how a key recovery attack can be launched 
against many published scheme given such parameters. They also describe how 



V. Varadharajan and Y. Mu (Eds.): ACISP2001, LNCS 2119, pp. 36-^01 2001. 
(c) Springer-Verlag Berlin Heidelberg 2001 



Attacks Based on Small Factors in Various Group Structures 



37 



to launch a general attack on schemes working in prime order subgroups. Their 
basic idea is to employ a substitution a ^ 70 mod p, where 7 is a generator of a 
small subgroup of Z*; we call this the direct low order attack. They demonstrate 
a direct low order attack on the undeniable signature algorithm used in Brands’ 
cash scheme and also show how to compromise discrete log based systems in a 
prime order subgroup by obtaining a signature on 7a, where the order of 7 is a 
factor of the order of the larger group Z*. 

With the fundamental notion of the direct low order attack in mind, we show 
in this paper several new attacks and weaknesses based on the existence of small 
order elements in various multiplicative groups. Some of these attacks apply to 
protocols published subsequent to the Lim and Lee attack m. while others 
apply to earlier protocols that use alternative algebraic structures, specifically 
subgroups with non-prime order. Some such protocols continue to select param- 
eters based solely upon primality. As these security protocols are extended to 
take on additional properties the possibility exists for new attacks. 

1.1 Contribution 

This paper demonstrates several new attacks by extending the fundamental no- 
tion of Lim and Lee d, applied to prime order subgroups, to various different 
group structures and protocols settings. Recall that a prime p is called safe if 
(p — l )/2 is also prime. We show that fixing the schemes may be dependent upon 
selecting parameters as safe primes (or the product of safe primes) and proofs 
that they have this safe form. 

We demonstrate our attacks on a group signature scheme of Camenisch and 
Stadler |^. Schemes which employ this as a primitive, such as cash, voting, 
and auction protocols, may all inherit a similar exposure. Specifically, an attack 
is shown where a member of a group may sign on behalf of the group in a 
manner that prevents the group manager from revoking the identity of the group 
member. Further attacks on specific electronic cash schemes, which make use of 
various signature schemes as primitives, are also presented. 

We analyse possible precautions for avoiding the attack, concluding that 
selection of a safe prime is required together with a proof of such a safe selection 
(required when the group order is unknown). In addition, there still exists the 
need to check protocol elements due to the presence of the element of order 
two. Finally, it is suggested that selection of safe primes is desirable for security 
protocols in general. This is based on the evolutionary pattern that follows such 
original protocols, where new properties are later devised which may possibly 
be thwarted by the presence of factors in large multiplicative groups. 

We regard the following as the main contributions of this paper. 

— We show that attacks based on factors may be applied to various multiplica- 
tive group structure^, outlining how attacks may be mounted where the 
group order is prime, non-prime, or unknown. 

^ Lim and Lee’s attack applies to prime order subgroups, where the prover applies the 
signature key to elements supplied by another party m- 
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— We demonstrate ways to attack group signature schemes where the group 
manager cannot identify the group member who generated a signature. 

— We detail exposures and protocol weaknesses of some electronic cash schemes. 

— We show how protocols in their original form may exhibit no exposure, but 
when used as a primitive in a more complex protocol an attack can be 
launched. 

— We propose several techniques to avoid such attacks. 



1.2 Organisation of Paper 

The next section provides a background to the central observations of the attack 
and the related work of attacks based on subgroups. We then outline specific 
attacks that can be made on some published schemes to illustrate the exposure. 
This includes a specific attack on group signature schemes, exposures to protocols 
based upon these signature techniques, and some weaknesses in electronic cash 
schemes. We then sketch possible ways to avoid this type of attack. 

2 Background and Related Work 

Attacks exploiting subgroup structures are not new, and several researchers have 
used their properties to expose protocol weaknesses. Lim and Lee HH] used el- 
ements of smooth order in key recovery attacks on discrete log based schemes 
that use a prime order subgroup. Burmester jS] observed that a false Schnorr 
public key may be issued that is able to fool verification. Each of these works 
will now be reviewed. 

Lim and Lee CSI outline several key recovery attacks on discrete log based 
schemes operating in the large group Z*, or some prime order subgroup. These 
attacks are able to disclose the secret key in key agreement protocols and ElGa- 
mal signature schemes. The specific attacks depend on finding partial discrete 
logarithms yi to the base a, where a is an element of low order. This is possible 
by breaking down the discrete logarithm problem over Z*, into several smaller 
problems as subgroups using the Pohlig-Hellman decomposition Eg, defined by 
low order elements of Z*. 

Burmester |0j previously pointed out that it is possible to cheat using the 
Schnorr identification scheme. Recall that the Schnorr scheme uses primes p and 
q where q\p — 1, and a generator g of G of order q. The private key is x and 
the public key h = g~^ modp. The prover first chooses w Gr Z^ and forwards 
a = mod p to the verifier. The verifier generates a challenge c Gr Zq and 
the prover sends the response r = cx + w mod q. The verification equation is 
g'~ = ah'^ mod p. Burmester points out that if the signer publishes some public 
key h' = mod p, where (3 is of order 2q and x is odd, then the probability that 
the verification will hold is 1/2. To achieve this the prover sends a = g^ mod p 
or a = g'^h' mod p (in an attempt to guess the parity of the verifier’s challenge 
c), and then returns r = cx/2 + w mod q if c is even and otherwise r = x{c — 
\)/2 + w mod q. The verifier will find that g^ = ah"^ mod p holds if the prover 
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has correctly guessed the parity of the challenge; this occurs with probability 
1/2. To prevent the attack the verifier should check that h' lies within the prime 
order subgroup G, by checking h'^ mod p = 1. Burmester also points out an 
exposure in the Fiat-Shamir uni scheme using a composite modulus. 

Recently Boudot pj observed a weakness in the proof of security for Girault’s 
scheme by exploiting the element of order two in the setting of discrete 
logarithm with a composite modulus. 

We here detail the central observation and then show how one may construct 
alternative attacks. Let G be a prime order subgroup of Z* of order q, where 
q\p — 1 and p,q prime, and p be a generator of G. Let a G G and 7 G Z* be 
of order t < q. Then given an integer x G 1q such that = a, it follows that 
( 73 )“ = a mod p when t\x. When there are no conditions on the choice of the 
prime p, p — 1 will likely have many factors less than q. A similar observation 
can be made regarding composite modulus systems. Note that in the case of 
composite modulus systems a test for group membership may not be possible if 
the order of the group is unknown. The direct low order attack of Lim and Lee 
makes the transformation a 7 a, where ord{'y) < ord(a), and the signing entity 
directly applies its signature key (exponent). In this paper we demonstrate how 
alternative attacks may be launched on several well known protocols that use 
various multiplicative group structures. 

3 Attacks on Group Signature Schemes 

In this section we show how an attack may work against group signature schemes 
that allows a group member to sign on behalf of the group in a manner that pre- 
vents the group manager from revealing the member’s identity. We then outline 
a collusion attack between a group member and the group manager, showing 
that the group manager must prove to each group member that the order of the 
group contains no small factors. 

Group signatures were introduced by Ghaum and van Heyst jSj. Gamenisch 
and Stadler jOj designed a group signature scheme where the public key of the 
group remains constant in size and complexity with an increasing group size. 
Group signature schemes enable a member of a group to generate a signature 
on behalf of the group. Each group member has a unique signing key, however 
signed messages may be verified using the single public key for the group. There 
is an additional entity, the group manager, which is able to reveal the identity 
of the group member who is responsible for creating any signature on behalf of 
the group. There are five operation phases of a group signature scheme. 

Setup - generates the group public key and secret administration key of the 

group manager. 

Join - enables a member to join the group, creating a membership certificate 

on her private key. 

Sign - group member signs on behalf of the group using her private key. 
Verify - checks the signature using the public key of the group. 

Open - reveals the identity of the group member who generated a signature. 
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The responsibilities of the group manager may be split into those of the 
membership manager who administers the Join operation, and the revocation 
manager who is responsible for the Open operation. 

Camenisch and Stadler P| stated that group signature schemes must satisfy 
the property that ‘group members can neither circumvent the opening of a sig- 
nature nor sign on behalf of other group members’. In the attack that follows it 
is shown that the opening protocol may be thwarted: a valid group member may 
generate a signature on behalf of the group in way that prevents the revocation 
manager from revealing the identity of the member. 

The scheme of Camenisch and Stadler relies on two ‘signatures of knowl- 
edge’, known as SKLOGLOG and S K ROOT LOG . The first of these provides 
a signature of a message m that proves that the signer knows the double discrete 
logarithm of a given value with respect to two base values. The second provides 
a signature of m that proves that the signer knows the e-th root of a discrete 
logarithm of a known value for a known e and base value. Our attack is based 
on the observation that these signatures may be generated in an incorrect form 
if the known values are not in the subgroup G where they are intended to lie. 

3.1 Preventing Opening of Signatures 

The setup of the Camenisch-Stadler scheme 0 involves the selection of se- 
curity parameter I by the group manager and publication of the public key 
(n,e,G,g,a,X,iy): 

— RSA public and private keys m are (n, e) and d respectively. 

— a cyclic group G = (g) of order n in which computing discrete logarithms 
is infeasible. We assume that G is a subgroup of Zp where P is prime and 
n\P — 1, as suggested by Camenisch and Stadler. 

— a collision resistant hash function H which takes strings of any length to 
strings of a fixed length (suggested as 160 bits by Camenisch and Stadler). 

— a € Z* of large multiplicative (unknown) order modulo both prime factors 
of n. 

— an upper bound A on the length of the secret keys and a constant v > 1. 

Definition 1. A signature of knowledge, for the message m, of the double dis- 
crete logarithm of z to the bases g and a is a tuple (c, si, . . . si) satisfying 

c = H{m II 2 ; II 5 II a II G II .. . || ti) with = | ^|*| “ ® 

and is denoted SKLOGLOG[a : 2 ; = g^°' ^](m). 

Camenisch and Stadler state that SKLOGLOG[a : z = g^°'‘^'>]{m) can only 
be computed with knowledge of a = x, the double discrete logarithm of z. We 
now show that this statement is not quite accurate unless additional checks are 
made beyond what is in Definition [U The following attack is a small variation 
on the generation of a correct signature as specified by Camenisch and Stadler. 
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1. Choose e S Zp of low order t, and compute z = ez mod p. Finding such an 
e is not hard: first find a generator go of Zp by trial and error and then set 
e = go^*. In general there may be many small values of t with t\{P — l)/n, 
and t = 2 will always be a possible choice. 

2. Choose Vi Gr {0, . . . , 2^'' — 1}, for f = 1 to I, such that mod n is a 

multiple of the order t. Note that, although this property is ensured for all 
i, it will only be required for around half the values, depending on the value 
of c found in the next step. Of course, the attacker is not able to guess in 
advance for which i values the property will be required. If t = 2, then on 
average this will require two trials for each r^, so that aT'~^ mod n is even. 

3. Next compute c = H{m || z || 5 || a || || . . . || and set 

_ _ ( n if c[i] = 0 
1^ ri — cc if c[i] = 1 

The signer now claims that {c,s\, . . . ,si) is a valid signature of knowledge 
SKLOGLOG[a : z = g^'^ ^](m). It can be seen that the verification equation 
still holds since the choice of ri in step 1 has ensured that a®* in Definition 1 
will always be a multiple of t when c[i] = 1. Yet the signer certainly does not 
know the double discrete logarithm of z. In fact if n is a good RSA modulus 
then t (ji G and so no such double discrete logarithm even exists! 

A very similar forgery is possible for the second signature of knowledge, 
SK ROOT LOG used by Camenisch and Stadler. Now we describe the group 
signature setup in which these two signatures of knowledge are used. 

A group member obtains her membership certificate (j/+l)®* mod n, by choos- 
ing X Gr {0 ,..., 2^ — 1}, computing y = mod n and membership key g^. 
The pair {y,g^) is forwarded to the group manager whilst proving knowledge of 
logg^{y). When convinced the group manager returns the membership certificate 
(3 = {y + 1)'^ mod n. 

Signing Procedure To sign a message m the group member chooses r Gr Z*, 
computes g = g'" modp, z = g^ modp, and forms Vi = SKLOGLOG[a : z = 
g°‘°‘]{m) and V2 = SKROOTLOG[P : zg = g^‘](m). 

To mount the attack, the following steps are performed by the group member. 

1. Choose r Z* and computes g = g'" , where r Gr Z*. 

2. Choose e of order t < n, compute z = ez. 

3. Form Vi = SKLOGLOG[a ■. z = g°' ](m) and V2 = SKROOTLOG[f3 : 
zg = g^ ](to) as shown above. 

The signature consists of the tuple (5, z, Ci, V2) and the verification consists 
of checking that V\ and V 2 are correct signatures of knowledge. The purpose of 
V\ is to show that the signer is a valid group member because V\ confirms that 
z is of the form g°' ; this proves the signer knows some value a = x. Then, since 
zg = 9°' , then V2 proves that the signer has a membership certificate (a“-|-l)'^ 

for the secret value a = x. 
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At some later point, if foul play is suspected, the signature {g, z, Vi, V 2 ) may 
be forwarded to the revocation manager to attempt to reveal the identity of the 
group member. This is usually done by checking if = z for the key yi of each 
group member i. However in this case g^' ^ z and hence the revocation manager 
is unable to identify the group member. 

As noted above, the simplest attack is where the order of e is 2. This can 
be varied by choosing an element of higher order, whilst ensuring that the order 
t < n. A larger order, however, requires a longer running time in the signing 
procedure to determine values that will enable the attack to succeed. 

It is worth noting that Ateniese and Tsudik Q have shown that there is a 
weakness in the Camenisch and Stadler scheme, unrelated to the attack presented 
here. A suggested fix, which alters the definition of the membership certificate, 
does not affect the validity of our attack. The attack as described here can be 
prevented if the verifier checks that z is actually in the group G (as implicitly 
claimed). This can be achieved at the cost of one exponentiation by verifying 
that z" mod P = 1. However, we will see below that this check by itself is not 
enough to prevent the attack in general. 

An essentially identical attack to that described here may be made against the 
scheme of Stadler m for publicly verifiable encryption of discrete logarithms. 
(Indeed the SKLOGLOG is based on that scheme.) Such a scheme is designed 
to ensure that any party can verify that shares of a discrete logarithm of a known 
value have been correctly distributed to a set of trustees. The attack can be used 
by the dealer of the secret to prevent trustees from recovering the correct shares 
even though the verification equation has been checked. 

In Stadler’s scheme the prover forms an ElGamal ciphertext, which is a pair 
{A, B). The prover then proves to the verifier that when decrypted by the private 
key of a designated party the corresponding plaintext for {A, B) will be the 
discrete logarithm of a known value V. The proof is identical to the SK LOG LOG 
discussed above and the same attack will work. This allows the prover to use a 
value V = eV, for any low order element e, and ‘prove’ that (A, B) will decrypt 
to the discrete logarithm of V. Whether this results in a meaningful attack will 
depend on the exact application for which verifiable encryption is used. 

A related group signature scheme has been published more recently by Ca- 
menisch and Michels [Zj . In this more recent scheme it is required that the RSA 
modulus used is a product of safe primes, and that it is required to be proven by 
the membership manager that this is the case. Therefore the attack described 
here does not apply. 

3.2 Collusion Attacks 

We now show a collusion attack where the membership manager and one group 
member may generate a signature that once again prevents the revocation man- 
ager from revealing the identity with the correct use of the revocation protocol. 
Suppose that the membership manager chooses n = pqw. The manager may then 
collaborate with one group member and reveal the factor w of n. The member- 
ship manager can reveal w while it is still computationally infeasible for the 
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group member to factorise n, and thus obtain p and q. Then, using the attack 
outlined in the previous section, the group member is able to generate a group 
signature on some message which prevents the identity from being revealed with 
the correct use of the revocation protocol. The attack proceeds as follows: 

— The membership manager selects n = pqw and generates the prime P such 
that n\P — 1. 

— The membership manager reveals w to one group member but not to any 
other party (including the revocation manager). 

— The membership manager generates g to be an element of order pq and 
publishes the usual parameters including g. 

— The group member finds an element e or order w. This can be achieved 
with high probability by choosing a random element S G Zp and setting 
e = mod P. 

— At signature time the group member replaces z with z = ez and the attack 
proceeds as above. 

In distinction to the previous attack, checking that z G G in this instance will 
not reveal any problem. This is because the small order element is now actually 
in the group that it is supposed to be in. A means to detect this attack is to 
insist that the group manager publishes a proof that n is the product of only 
two primes. Efficient methods for such a proof are known m- 

4 Electronic Cash Schemes 

Many electronic cash protocols employ as primitives one or more of the signature 
schemes discussed above, and hence may be exposed. Techniques which may be 
used to repair or avoid the attacks shown here are discussed in Section 0 



4.1 Traore’s Scheme 

Traore m proposes an innovative electronic cash scheme based upon group 
signatures where the customers form a group. We show that the above attack 
may be extended to work against the schem£0. 

In Traore’s scheme the RSA primes are chosen to be safe but the large group 
Zp may contain many small factors. P is chosen by first generating n = pq, where 
p = 2p' + 1, q = 2q' + 1 and p,q,p',q' are all prime) and then choosing P by 
searching for P = kn+ 1, where k is an integer. In this case it is very likely that 
P — 1 will contain many small factors and hence there are small order elements 
easily found in the large group Zp. Now, it is possible to devise a similar attack 
to the group signature scheme of Camenisch and Stadler jSj, although there are 
a few extra details to consider. 

Traore’s scheme requires users to obtain a license which is a pair of integers 
which must be used during each coin withdrawal and ‘embedded’ in each coin 



^ A revised protocol with repairs against this attack is detailed by Traore m- 
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withdrawn. A license is obtained through a protocol executed with the group 
manager during which the member proves that he knows the discrete log of a 
value IDjj. which will be later used to revoke anonymity if necessary. This uses 
a proof of knowledge called Proof log+range- In the following li, I 2 and e > 1 
are constants; a is a quadratic residue in a different multiplicative group 
where TV is a product of different safe primes and In is the bit-length of N. 
Finally, fc is a security parameter. 

Definition 2. A proof of knowledge of the discrete logarithm of h with respect 
to g and of 6 with respect to a, which also proves that logg h = log^, S and that 
logg h is in [2*^ — (^c,r) satisfying 

C=H{g II /ill a II 5 II II 

r G [-(2'=- 1)(2'^ - 

and is denoted Proof LOG+RANGE{g, h, a, S, I 1 J 2 , In, e, k). 

The attack works when a group member is able to obtain a license from the 
group manager in a way that prevents the group manager from revoking the 
identity of the user. The idea is similar to the attack in the last section in that 
the proof is accepted even though the attacker does not possess the knowledge 
claimed. This is achieved in the following steps: 

1. During the license generating protocol, the group member obtains a license 
(X, 5) by sending various parameters and two proofs to the group manager. 
One of these proofs contains identifying information for the user using two 
strings IDjji = g^' and idu^ = oA'- The required proof is as follows. 

Proof LOG+RANGE{g, IDui,a, idui,h,l 2 , In, e, k) 

The malicious user can forge this proof by introducing the low order element 
e in the following: 



IDu, = eg^^ 

idjji = 

To construct Proof log+range the prover chooses a { 0 , com- 

putes 

c= H{g\\IDui\\a\\idui\\g°'\\a°') 

and then computes r = a — c{xi — 2^^). In general, a proof constructed in this 
way will fail verification by the group manager with a probability of 1 / ord(e) . 
Therefore (for 100% success) it is necessary to determine a correct value for 
c by choosing a and evaluating c until ord{e)\c. This may be performed off- 
line with minimal computation. When the desired value of c is found the 
verification g°' = ^ {IDjjiY will be satisfied as required for the proof. 
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2 . During the withdrawal and payment protocols the group member would gen- 

erate coins using , rather than eg^* , and these would still pass verification 
by the merchant. During withdrawal the customer must supply an ElGamal 
encryption of using the revocation manager’s public key hn. This is the 
pair and is included in the coin. This value is checked by the 

merchant at payment time. 

3 . When necessary, the revocation manager attempts to reveal the identity 
using the owner tracing string ot = which has been included in the coin. 
To do this the manager first decrypts the ElGamal ciphertext to obtain g^' . 
Then the group manager attempts to determine the identity of the group 
member’s identity IDij. = g^' by performing a search on the registered 
group members. However, the group manager will find no ID[j equal to 
I Du-, since I Du- = eg^' mod P. 

4.2 An Anomaly in Brands’ Cash Scheme 

An anomaly in Brands’ original electronic cash scheme is now outlined. It is 
related to the observation of Lim and Lee m that a customer is able to double 
spend coins while avoiding identity revocation, as long as the bank never checks 
that the customer’s identity element is in the correct group during registration^. 
The attack of Lim and Lee was based upon the prover applying her secret key to 
some supplied element, so the customer must interact with the bank to mount the 
attack. In contrast we show how the customer can mount an alternative attack 
by himself, through the selection of blinding invariants. In the initial remark 
that follows the customer is easily detected; however different assumptions must 
be made regarding the security of the scheme. Gonsequently the overall protocol 
must be altered to accommodate the detection of false coins. 

Recall that in Brands’ scheme computations take place in a subgroup G of Z* 
of prime order q. Three independent generators of G, denoted g, g± and 52, are 
made public. A coin consists of a pair (A, B) and a signature a(A, B) issued by 
the bank. The signature is a 4 -tuple (a, b, z, r) which is valid if the two verification 
equations g’’ = and A’’ = where h{= g^) is the 

bank’s public key. During the withdrawal phase the customer obtains (A, B) 
blindly in such a way that he knows the representation of (A, B) with respect 
to (51,52)- At payment time the customer supplies the coin and engages in an 
interactive protocol designed to prove that he knows this representation. 

In the ‘attack’, the customer substitutes A with eA modp during the with- 
drawal where, as before, e is an element of low order t, such that t\p — 1 . The 
attack may be applied to Brands’ scheme using the following steps. 

1 . During coin withdrawal the customer chooses blinding invariant s Zq as 
normal and chooses e such that ord{e) = t. 

2 . The customer computes A = (5^52)^ modp as normal. 

® It seems that this check was proposed by Brands before the publication of Lim 
and Lee m- 
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3. The customer sets a = tA modp and replaces A by a in the calculation of 
c' = 7i(a, i?, z', o', h'). 

4. At payment time the customer presents (a, B) and the bank’s signature 
a{a, B) to the merchant as a valid coin. 

The customer will obtain a valid bank signature cr(a, B) in the case that 
Q,r — ^ where r' is the exponent calculated during withdrawal. Since this 

element is chosen randomly this will happen with probability 1/t. In practice the 
customer could examine the response to confirm whether merchant verification 
of the false coin will pass with the derived response r', thus guaranteeing that 
verification will succeed during payment. In addition, the representation check 
will pass with probability 1 jt since d will also be of the required value 1 /t of the 
time. 

When the merchant deposits the coin, the bank is equally likely to accept 
the coin as valid. If the coin fails the representation check, then the coin is 
rejected. It is interesting to note that in Brands original paper he suggests that 
the customer may in fact determine d, reducing the payment to a single move 
protocol. In this case the customer is able to spend an invalid coin with a 100% 
success rate; as suggested above during the withdrawal protocol the customer 
is able to check that an appropriate value r is provided that will enable a false 
coin to pass verification using r' = ru + v mod q. 

Regardless of this, the question remains of any real exposure. The answer is 
negative, since if the customer spends a second instance of a, or even A itself, he 
must supply r values during payment that pass the representation criterion. Since 
these values encode the customer’s true identity the customer will be caught. So 
this observation is rather an anomaly of the scheme, where an invalid coin (a, B), 
such that a ^ G and B G G, may be in circulation. But to be able to spend 
these invalid coins the customer must have taken part in the withdrawal protocol. 
Since the customer’s account is debited during withdrawal and double spending 
will reveal the identity there is no incentive to fool the system. 

It should be pointed out that this observation invalidates theorems pre- 
sented by Brands |^. For it can be seen that a customer can present a coin 
{a, B),a{a, B), and not know the representation of a with respect to (31,32)- 
The following formal statements are made |Ej with reference to a customer U. 

Lemma. If U in the payment protoeol ean give correct response with respect to 
two different challenges, then he knows a representation of both A and B with 
respect to (31,32)- 

Corollary. U can spend a coin if and only if he knows a representation of it. 

From the results above it is clear that the lemma and corollary have been in- 
validated. The customer cannot possibly know a representation of a with respect 
to (31,32), since a^G and (31,32) are both generators of G. 

In order to prevent the customer from spending invalid coins, the merchant 
should check that the value A lies in the group G. This is an added expense in 
performing the check A^ mod p = 1 . Due to the existence of the element of order 
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2 , even when p is a safe prime, it will always be necessary to allow that either 
(A,B) or {—A,B) is a valid coin. 

We now show how other schemes, such as fair electronic cash uni, that extend 
the Brands protocols are susceptible to some attacks. This reinforces the obser- 
vation that, whilst the original protocol may exhibit no real exposure, extended 
versions may be compromised. This viewpoint is in contrast to the suggestion 
by Brands that if the secret key is not applied by the prover to base numbers 
supplied by other parties then the issue may be avoided 00. Whilst this position 
is reasonable for the original form of the protocol |5|, we suggest that a more 
prudent approach is to ensure safe parameter selection in the first instance to 
ensure that extensions remain secure. 



4.3 Fair Off-Line Cash 

Frankel, Tsiounis and Yung uni show how Brands’ scheme may be extended into 
a fair electronic cash protocol by providing owner tracing and coin tracing. The 
subgroup exposure shown above can be modified so that the additional property 
of owner tracing can be thwarted in their scheme. Once more, this exposure is 
due to the selection of primes p and q such that p = jq + 1, where 7 is a small 
integer HE). 

We first note that the customer may again spend invalid coins as in Brands’ 
scheme. The only difference between the withdrawal in Brands’ scheme and that 
of Frankel et al. is that the B value is split into two parts, Bi and B 2 , with 
B = The customer performs the following modified steps in order to 

withdraw the false coin. 

1. Choose blinding invariant s Zq, and e where ord{e) = t. 

2. Compute A = ( 3152 )'* modp. 

3. Set a = eA mod p, B\ = and B 2 = g^^. 

4. Calculate c' = h{a, B, z',a', V), where B = [i?i, B 2 ]. 

When the customer spends a coin the following modified payment ensues. 

1. Al = A 2 = p|. 

2. Set a\ = eAi. 

3. Present ai, A 2 , A, Bi, B 2 and cr(a, B) to the merchant as a valid coin. 

When the merchant validates the coin he will find that a = aiA 2 , and will also 
find the signature will be valid (since this may be checked at withdrawal time 
by the customer to ensure that the derived value r is a multiple of order of e). 
As in the attack on Brands’ scheme, the representation check will work with 
probability 1/t. 

To provide owner tracing, Frankel et al. added messages in the payment 
protocol. These messages assume the existence of a trustee T whose public key 

Moreover, the attacks we outline are based upon the use of blinding invariants by 
the customer. 
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f 2 = 92^ is known to all concerned parties. The additional messages include 
an ElGamal encryption of the identity of the customer using /2 and a proof by 
the customer that this is the same identity as that hidden in the coin in the 
component A. We now show how the above attack may be extended to thwart 
the additional property of owner tracing. The customer proceeds as follows. 

1. Forms the ElGamal encryption of I as Di = I D 2 = where m Gr 1q. 

2. Sets (5i = eDi where e is of small order t. 

3. Presents <5i, D 2 to the merchant as an encrypted identity during payment. 



To verify the encryption, the merchant selects sqj si: S 2 Cfl and computes 
D' = 5{° 92^02^ and /2 = f 2 °gT sends these two values to the customer. 
The value V = / {f' 2 )'^^) is returned by the customer and the merchant 

checks that V = T-Li{aY A^) ■ This verification will succeed as long as t|so which 
occurs with probability 1/t. 

It should be noted that Frankel et al. m assume that D' G Gq and G Gq, 
hence their proofs are correct from this standpoint. However, as shown above, 
in practice one cannot necessarily assume that this is the case without the ap- 
propriate checks in place. If follows that when the trustee attempts to decrypt 
the ciphertext, the trustee is unable to obtain the true identity of the customer. 




el Y I mod p 



5 Methods to Avoid Exposures 

In this section we briefly consider some techniques that may be employed to 

avoid the attacks described. 

Testing each element. Explicitly test that each presented element is within 
the group. In some cases this will be effective, but when working in the 
large multiplicative group Zp, this will not protect schemes. Moreover, if 
P — 1 contains many factors then a test for elements within the group will 
not overcome any problems. For example, this approach is ineffective against 
the collusion attack in Section |E| because a membership check on a supplied 
element a, using the group order n will yield a positive result. 

Restricting Exponents. Another approach is to avoid exponents which are 
multiples of the factors of the group order. This ensures that any element 
outside the correct group G will remain outside after exponentiation. The 
exponent must be prime with respect to all factors of the large group. One 
may use prime exponents, but this greatly restricts the range available for 
randomised exponents. 

Safe Primes for Mnltiplicative Groups. The most appropriate solution is 
to ensure that factors do not exist. If p is a safe prime then the multiplicative 
group Z* has no subgroups, except the subgroup of order 2. Thus use of safe 
primes can avoid these attacks except that it may be necessary to modify 
the protocols to check for the factors ±1. 
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In the schemes of Camenisch and Stadler P| and the scheme of Traore m 
the prime P must be chosen in such a way that {P — l)/n has as few small 
factors as possible. In the best case P — 1 = 2n; primes of this form can be 
generated by first generating n and checking if 2n + I is prime. 

Proving Composite is the Product of Two Safe Primes. When using a 
composite modulus, the number of subgroups is minimised by choosing the 
modulus to be a product of safe primes. Camenisch and Michels m have 
provided a protocol to prove that an RSA modulus is the product of two 
safe primes. This protocol is not as efficient as would be desirable if it has to 
be checked at each use of the modulus but can be checked by a certification 
authority in a one time registration procedure. This can then prevent the 
collusion attack presented in Section E21 



6 Conclusions and Summary 

There exist a number of protocols that operate in some subgroup of Z*, where 
the order is prime or non-prime, with no extra restrictions on p. We have shown 
that it is possible to attack some of these systems, compromising one or more 
properties. We show that more elaborate attacks may be mounted that operate 
in various known and unknown group structures, exploiting weakneses either 
within the subgroup or within the larger group of the scheme. It is also shown 
that whilst these schemes may possess no true weakness in their original form, as 
these protocols are extended (perhaps with additional properties) the potential 
for exposure is also extended. We suggest that using safe primes together with a 
proof that this is the case is a sensible precaution even if the specific requirement 
is not apparent. Finally, it may be necessary that the protocol be modified to 
cater for elements of order 2. 
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Abstract. In this paper, we examine a classification of conference key 
distribution protocols proposed in P] and show that no known protocol 
satisfies the security requirements in class 4, the highest security class 
of this classihcation. We show two new attacks on protocols that were 
believed to belong to the highest security class and show that both pro- 
tocols in fact belong to class 3. This motivates us to propose a refinement 
of this classification to allow separating protocols with different security 
properties while maintaining the classification framework. 



1 Introduction 

A conference key distribution protocol (CKDP) establishes a common key among 
a number of users forming a conference. Security analysis of CKDP raises security 
issues that did not exist in two-party key distribution protocols (KDP)^ . In 
particular, in addition to attacks from outsiders that must be considered in 
both types of protocols, in CKDP there are attacks from malicious insiders with 
the aim of changing the structure of the conference. For example, a subgroup 
of participants may attempt to share different keys with different participants, 
eliminate a participant Ui from the conference or even make other participants 
believe that Ui is participating in the conference, while the latter is unaware of 
the conference. 

In Saeednia and Safavi-Naini proposed a general framework for defin- 
ing and classifying security properties of CKDPs. The highest security class in 
this classification is class 4 security, and requires assurance that no collusion of 
malicious insiders can break authenticity of the conference key without other 
participants (outside the coalition) detecting the fraud. 

In this paper we show that this requirement is too strong and is not satisfied 
by any of the examined protocol. We also point out that it is unlikely that the 
requirement be satisfiable by any other protocol. A result of this is that a broad 
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range of protocols with varying levels of security are put in the same class. In 
particular, we examine two protocols proposed in ^ and show that none of 
them achieve the claimed level of security and must be put in the same lower 
class. We propose a modification of class 4 security that provides a more refined 
classification of CKDP. 

2 Overview of the Proposed Classification 

In this section we briefly recall the security classification proposed in Pj. The 
basic approach is to define properties that must be satisfied by a CKDP, and 
classify protocols depending on the properties that they satisfy when different 
types of adversaries are considered. We omit the details of the lower level classes 
since they are not relevant to this paper. 

A conference C is defined by a subset {C7i, . . . , Um} of participants from a set 
lA. Participants in C are called insiders while those in U\C are called outsiders. 
A CKDP may satisfy one or more of the following properties. 

A. All insiders must be able to compute the conference key Kc- 

B. Kc must be fresh. 

C. No outsider, having access to messages of previous runs of the protocol and 
the corresponding keys, can calculate Kq or share a key with each insider. 

D. Every insider can be sure that either he is sharing the same key with all 
the conference participants, or no two participants share a common key. 

Properties A to C are all required to ensure that a protocol functions correctly 
and produces “good keys” in presence of both passive and active outsiders. They 
constitute the properties that are shared between KDPs and CKDPs. Property 
D, however, is only relevant to CKDP and not to two-party protocols. This is 
true because in these protocols there are exactly two participants and property 
D reduces to assurance about the sameness of the key computed by the other 
participant that is always achievable by an extra handshake protocol using the 
distributed key. This means that KDPs that satisfy properties A to C guarantee 
confidentiality of the information which in the extreme case could mean messages 
encrypted by one participant not being readable by anyone else, including other 
valid recipients. 

In a CKDP the situation is different. A protocol that satisfies A to C cannot 
be considered secure because the protocol might result in subgroups of partic- 
ipants to share a common key different from the conference key. In this case, 
an encrypted message is readable by one subset without them knowing who is 
able/unable to read the message and so the protocol cannot be considered secure. 
This means that D is an essential property of a secure CKDP. 

In general we can consider two kinds of adversaries: outsiders and insiders. It 
is important to distinguish between the two types as security risks in each case 
is different and a protocol that is secure against attackers of the first kind may 
not be secure against attackers of the second kind. 

Because of this, property D is split into two, resulting in two different classes 
of security: 
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Dl. It is infeasible for an active outsider to break authenticity of the conference 
key by tampering with the messages without insiders detecting the fraud. 
D2. It is infeasible for any coalition of malicious insiders to break authenticity of 
the conference key by tampering with the messages with no insider outside 
the coalition detecting the fraud. 

Now security classes 3 and 4 are defined as the classes containing proto- 
cols satisfying A, B, C and Dl, and protocols satisfying A, B, C, Dl and D2, 
respectively. 

In the following, we show that because of property D2, we cannot distinguish 
between a protocol in which a group of malicious insiders can force one, or a 
subgroup of, participants to calculate a different conference key while no other 
participant, who is neither a colluder nor a victim, detect it, and a protocol 
in which a group of insiders can establish a subliminal channel m between 
themselves. Both these attacks are captured by D2, while they actually have 
very different implications. 



3 Identity-Based Protocols and Attacks 

In g], two identity-based CKDPs have been proposed that were based on the 
broadcast protocol of P and were claimed to be of class 4. In this section we 
recall these protocols and show attacks that allow a subliminal key other the 
conference key to be computed by a subgroup of participants. 

3.1 Protocol 1 

In this protocol, users’ keys are chosen by a Trusted Third Party (TTP) that in 
the initialization phase chooses 

— an integer n that is a product of two large distinct random primes p and q 
such that p—l = 2p' and q—l = 2q' , where p' and q' are also prime integers, 

— two bases a and (3 ^ I oi order r = p'q'-, 

— a large integer u < min{p' ,q'), and 

— a one-way hash function /. 

TTP makes a, /3, u, f and n public, keeps r secret and discards p and q 
afterward. 

Each user, after his identity is verified by the TTP, receives a pair of public 
and private keys. The TTP does the following: 

— prepares the user’s public key, ID, by hashing the string I corresponding to 
his identity: that is, ID = f{I); 

— computes the user’s secret key as the pair (x,y) and x = (mod n), 

y = (mod n) and ID~^ is computed modulo r. 

The protocol is executed in three steps and has two broadcasts by each user. 
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1. Each Ui, i = randomly selects U Gn Zu, computes Zi = a** 

(mod n) and broadcasts it. 

2. Each Ui, i = computes c= /(zi|| 2 ; 2 || ■ • ■ ||^m) (“||” denotes the 

concatenation), and then broadcasts Vi = {zi+i/ Zi-i)*'^ (mod n) and Wi = 
Ui ■ (mod n). 

3. Each Ui, i = checks whether (mod n); j = 

1, . . . ,i — l,i + 1, . ■ . ,m. If so, computes the conference key as 

Ki = z^*i ■ ■ Vi-2 (mod n). 

The common key computed by Ui is 

Kc = a‘i‘2+t2t3+...+tmti (mod n). 

The pair (zi,Wi) constitutes a signature of Vi and a witness of the knowledge 
of ti, as well as Ui’s secret key. Since with a very high probability c is different 
in each runs of the protocol, the freshness of the signatures can be guaranteed. 
This means that no signature (for the same Vi and Zi) will be valid twice. Such 
signature provides assurance about the origin of Vi and Zi and makes it infeasible 
to impersonate a user by replaying message of a previous session, or eliminate 
a user from the conference while other participants believe that the user has 
computed the same key as them. However, it is possible to establish a subliminal 
key, as we will see in the following subsection. 

3.2 Attack on Protocol 1 

We show how a colluding group of participants may share a key other than the 
conference key computed by everyone, without others detecting it. For simplicity, 
we describe the attack by m — 1 colluders against Uj . It is easy to modify the 
attack to work for m — k colluders against the remaining k participants. We 
assume that attackers can completely control the view of the cheated participant. 
This means that, it is possible to broadcast a message in such a way that Uj 
cannot receive it. This is denoted by broadcast{\U j) . Also, no participant can 
distinguish between a received broadcasted message and a message sent only to 
him. 

1. Each Ui, i = 1, . . . ,m, selects ti Gr Z^, computes Zi = a** (mod n) and 
broadcasts it. 

2. Each Ui, i ^ j — 1 and j + 1, computes Vi = {zi+i/ Zi-i)*' (mod n) and 

Wi = yf ■ (mod n) and broadcasts them. 

2’. Uj-i and C/j+i send to Uj, (vj-i,Wj-i) and {vj+i,Wj+i) that they have 
computed following step 2 of the protrocol, compute 

v'j-i = (zj+ilzj- 2 Y^-^ (mod n) 

Vj+i = {zj+ 2 lzj-iY^+^ (mod n) 

and broadcast (\C/j) them (as Vj-i and r’j+i), respectively. In addition, they 
broadcast (\C/j) Vj-i and Wj+i (those they have sent to Uj) as Wj-i and 
Wj+i, respectively. 
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3. Uj checks validity of all WkS he has received and computes the key Kc = 
Q,tit2+t2t3+ - +tmti (mod n). Other Ui, knowing that they are colluding to 
exclude Uj, do not check the validity of WkS, but first compute 

K* = Q,‘p 2 +...+C-iC+i+---+*m‘i (mod n) 
using Vk’s they have received (excluding vj), and second 
Kc = 

using values broadcasted(\[/j) by Uj-i and f7j+i as wj-i and wj+i, respec- 
tively. 

Now, the colluders can use the key K* to communicate (excluding Uj) and 
also use Kc when they need to send a message that should also be readable by 
Ur 

3.3 Protocol 2 

This protocol is the Burmester-Desmedt protocol with key confirmation. It uses 
the same parameters and keys as protocol 1, but instead of signatures on the 
pair Vi and U, each participant computes a signature on the conference key. The 
validity of this signature will be verified by all other participants. 

1. Each Ui, i = 1,. . . ,m, selects U Gr computes Zi = a*' (mod n) and 
broadcasts it. 

2. Each Ui, i = 1,. . .,m, computes c = /( 2 :i|| 2 ; 2 || ■ • ■ \\zm) and then computes 
and broadcasts Vi = {zi+i/ Zi-i)*' (mod n). 

3. Each Ui, i = 1, . . . ,m, computes the conference key as 

= z-_l -V- ... • Vi-2 (mod n) 

and then computes ki = f{Ki) and Wi = i/i ■ x\'^' (mod n), and broadcasts 
them. ^ 

4. Each Ui, i = 1,. . .,m, verifies whether Wj ^ ■ j3 = z^ (mod n), for j = 
1, . . . ,i — l,i+l, . . . ,m. If they hold, then Ui accepts, otherwise rejects and 
halts. 



3.4 Attack on Protocol 2 

Here again, we describe our attack against a given participant Uj, but it can 
straightforwardly be generalized to exclude any number of participants. 

1. Ui, i = 1, . . . ,m, selects ti Gr Z^, computes Zi = a*’' (mod n) and broad- 
casts it. 

2. Ui, i yf j — 1 and j-l-1, computes Vi = {zi+i/ Zi-iY' (mod n) and broadcasts 
it. 
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2’. Uj-i and C/j+i send to Uj^ the values Vj-\ and Vj+i that they have com- 
puted following step 2 of the protocol, and compute 

= {zj+i/zj- 2 Y^-^ (mod n) 

and 

?^'+i = {zj+ 2 lzj-iY^+^ (mod n) 

and broadcast (\C/j) them (as Vj-i and "Cj+i), respectively. 

3. Uj computes the key Kc = a‘i* 2 +t 2 t 3 +-..+tmti (mod n). Other Ui’s {i = 
1, . . . ,m, i j, j — 1 and j + 1) compute 

K* = a*^it2+-+ti-itj+i+...+t^H 

using Vk’s they have received (excluding vj), and Uj-i and t/j+i compute 
both keys. 

3’. Uj-i and Uj+i broadcast (\C/,) Kc (instead of their signature on the con- 
ference key) and send to Uj 

Wi-i = Vi-i- (mod n) 

and 

Wi+i = j/i+i • (mod n) 

respectively. 

3”. Ui, i ^ j — 1 and j + 1, computes Wi = yi ■ x^^^ (mod n) and broadcasts 
it. 

4. Uj verifies the correctness of Wk and is convinced that other participants 
have computed the same key as him. Other participants do nothing. 

Once again, the colluders can use the key K* to communicate (excluding Uj ) 
and also use K when they need to send a message that should be readable by 
Ur 

4 Refining the Classification 

The above attacks show that none of the protocols in ^ are in class 4 as col- 
lusion of malicious insiders can break authenticity of the key. Here, “breaking 
authenticity of the key” means that property D is not satisfied and so with this 
requirement none of the analyzed protocols is in class 4. 

Establishing subliminal channels might not need an active attack. Rather, 
it could use correctly constructed messages of the protocol in a different com- 
putation planned by the colluders. An example is the case when participants 
in the protocol send messages of the form a*’ at some stage of the protocol. 
This allows two participants, Ui and [/,, to establish a Difhe-Hellman key, 

P] and use it to communicate through a subliminal channeQ. A similar type 

^ In star based and cyclic systems, any participant may learn the valne sent by each 
participant to another by eavesdropping the communication. 
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of computation can be also performed by a group of participants resulting in a 
subliminal channel among the group. This type of channel that could always be 
established among passive colluding insiders, is called inherent subliminal chan- 
nel. To establish such channels the attackers correctly follow the protocol and 
it is not necessary for them to modify or suppress any of the messages. In this 
case, since calculating the conference key uses messages of a correct and untam- 
pered run of the protocol, the result is a correct conference key. However some 
of the participants also follow another pre-agreed computation and calculate a 
subliminal key and there is no way for other participants to be sure that such a 
computation has not been performed. Subliminal channels are studied by Sim- 
mons and Desmedt et al |3. It is an open question if it is possible to construct 
conference key protocols that are subliminal free, that is, protocols that do not 
allow establishment of these kinds of subliminal channels. 

This has motivated us to refine property D so that while it can be used to 
distinguish between the more secure protocols and the less secure ones. 

To clarify this, we compare the Burmester-Desmedt protocol with the proto- 
cols in sections Ls. H and fOt As shown in Burmester-Desmedt protocol is only 
secure against outsiders’ attacks and no security is provided against malicious 
insiders: malicious insiders can impersonate other users, or eliminate a number 
of them from the conference without any other participant that is not part of 
the colluding group or the victim group, being able to detect the subversion of 
the protocol. 

The protocols analyzed in sections tt. II and 15.51 only allow a collusion of in- 
siders to share a subliminal channel (inherent or not), but there is no known 
attack that leaves out at least one of the participants outside both the col- 
luder group and the victim group. Nevertheless, with the current classification, 
all these protocols belong to class 3 despite some resistance that they provide 
against insiders’ attacks. 

We propose an intermediate class to differentiate between the two types of 
protection offered. We separate attacks that leaves out at least one participant 
outside the group of colluders and the group of victims. This is reasonable be- 
cause when a group of colluders impersonate or eliminate a participant Uj , their 
goal is to make other participants believe that user Uj is involved in the con- 
ference while Uj is either impersonated or has computed a wrong key without 
being aware of it. The attack divides the conference into three subgroups: col- 
luders, victims and others, where the latter two subgroups are both cheated by 
the colluders, though not in the same way. 

In contrast attacks that aim at creating a subliminal channel break the con- 
ference into two subgroups: colluders and the victims with colluders’ aim being to 
have private communication among themselves. So property D2 can be rewritten 
as follows. 

D’2. No colluding subgroup G € C can impersonate a subgroup G' € C such 
that G n G" = 0 and G U G' C, or force them to compute a wrong 
key. Here we require that in this fraud there is at least one participant 
U G C \ {G U G'} who cannot detect this fraud. 
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D”2. No colluding subgroup G G C can share a subliminal key other than the 
conference key. 

We note that an inherent subliminal channel between two participant can be 
extended to a subliminal channel among a group of participants as follows: if 
user Ui shares a subliminal key Ki with Uj and K 2 with Uk, then it can encrypt 
K 2 with Ki and send it to Uj. In this way all three users share if 2 - This can be 
extended to any number of users. 

We define the new classes as follows. 

— Class 3 contains protocols that satisfy A, B, C and Dl. 

— Class 4 contains protocols that satisfy A, B, C, Dl and D’2. 

— Class 5 contains protocols that satisfy A, B, C, Dl and D’2 and D”2. 

Now, the above protocols belong to the new class 4, while less secure protocols 

such as the Burmester-Desmedt remain in class 3. 



5 Conclusions and Further Works 

We argued that the classification of CKDPs given in ^ is very restrictive. We 
showed attacks on two CKDPs that were previously believed to belong to the 
highest security class in this classification. We noted that many conference key 
distribution protocols have inherent subliminal channels and in fact we are not 
aware of any CKDP that is free from such channels. We argued that there is no 
reason to separate protocols based on the type of the attack, active or passive, 
used for establishment of the channel. 

However we separate attacks that aim at establishing a subliminal channel 
and those that remove the assurance that each user can compute the same con- 
ference key with all other participants (although he might be excluded from 
some subliminal discussions). By replacing class 4 in the classification given in 
^ with two new classes, 4 and 5, we can retain the original framework and at the 
same time differentiate between protocols that have different resistance against 
insiders’ attacks. The construction of a CKDP that satisfy the requirements of 
class 5 remains an open and challenging problem. 



References 

1 . M. Burmester and Y. Desmedt. A secure and efficient conference key distribution 
system. Advances in Cryptoloqy - Eurocrypt ’94, Lecture Notes in Computer Science 
950, pages 275-286, 1994. 

2. M. Burmester, Y. Desmedt, T. Itoh, K. Sakurai, H. Shizuya, and M. Yung. A 
progress report on subliminal-free channels. Workshop on Information Hiding, 1996. 

3. W. Diffie and M. Heilman. New directions in cryptography. IEEE Trans. Inform. 
Theory, vol. 22, pages 644-654, 1976. 



On Classifying Conference Key Distribntion Protocols 



59 



4. S. Saeednia and R. Safavi-Naini. Efficient Identity-Based Conference Key Distri- 
bution Protocols. Information Security and Privacy, ACISP ’98, Lecture Notes in 
Computer Scienee 1438, pages 320-331, 1998. 

5. G. J. Simmons. The subliminal channel and digital signatures. Advances in Cryp- 
tology - Eurocrypt ’84, Lecture Notes in Computer Scienee 209, pages 364 - 178, 
1984. 




Pseudorandomness of MISTY-Type 
Transformations and the Block Cipher KASUMI 



Ju-Sung Kang, Okyeon Yi, Dowon Hong, and Hyunsook Cho 



Section 0741, Information Security Technology Division, ETRI 
161 Kajong-Dong, Ynsong-Gn, Taejon, 305-350, KOREA 
{ jskang, oyyi ,dwhong,hscho}@etri . re .kr 



Abstract. We examine the security of block ciphers on the view point 
of pseudorandomness. Eirstly we show that the four round (unbalanced) 
MISTY-type and the three round dual MISTY-type transformations are 
pseudorandom permutation ensembles. Secondly we prove that the three 
round KASUMI is not a pseudorandom permutation ensemble but the 
four round KASUMI is a pseudorandom permutation ensemble. We pro- 
vide simplified probability-theoretic proofs for non-adaptive distinguish- 
ers. 

Key words'. Distinguisher, (Super-)Pseudorandom permutation ensemble, 
MISTY-type transformation, KASUMI. 



1 Introduction 

The notion of pseudorandomness has applied to a method of analyzing prov- 
ably the security of block ciphers together with the provable security against 
differential and linear cryptanalysis. Luby and Rackoff^ introduced a theoreti- 
cal model for the security of block ciphers by using the notion of pseudorandom 
and super-pseudorandom permutations. 

A block cipher can be regarded as a family of permutations on a message 
space indexed by a secret key. That is, one secret key determines a permutation 
on the given message space. A pseudorandom permutation can be interpreted as 
a block cipher that no attacker with polynomially many encryption queries can 
distinguish between the block cipher and the truly random permutation. We call 
a block cipher is a super-pseudorandom permutation if no attacker with poly- 
nomially many encryption and decryption queries can distinguish between the 
block cipher and the truly random permutation. MaurerQ presented a simplified 
proof of Luby-Rackoff’s results for non-adaptive distinguishers and provided new 
insight into the relation between complexity-theoretic and probability-theoretic 
results. Naor and Reingold jO] proposed the revised construction by showing that 
the two round Feistel-type transformation was sufficient together with initial and 
final independent permutations to be a super-pseudorandom permutation. Iwata 
and KurosawaPj proved that the five round RC6 and the three round Serpent 
were super-pseudorandom permutations for non-adaptive distinguishers. 
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In 13, Luby and Rackoff used the Feistel-type transformation of DES in or- 
der to construct a pseudorandom and super-pseudorandom permutation from a 
pseudorandom function. They showed that the Feistel-type transformation with 
three rounds yielded pseudorandom permutation and with four rounds yielded 
super-pseudorandom permutation under the assumption that each round func- 
tion was a pseudorandom function. 

In this paper we examine the pseudorandomness of the MISTY-type transfor- 
mation which is not a Feistel-type and apply this results to analyze the pseudo- 
randomness of the 3GPP block cipher KASUMI. Sakurai and Zheng ITHl showed 
that the three round MISTY-type transformation is not a pseudorandom permu- 
tation ensemble. We prove that the four round (unbalanced) MISTY-type and 
the three round dual MISTY-type transformations are pseudorandom permu- 
tation ensembles. The overall structure of KASUMI is a Feistel-type structure, 
but its round function doesn’t seem to be a pseudorandom function. Thus we 
cannot straightforwardly apply the Luby-Rackoff’s result to KASUMI. We prove 
that the three round KASUMI is not a pseudorandom permutation but the four 
round KASUMI is a pseudorandom permutation. Through out this paper we use 
the simplified probability-theoretic proofs for non-adaptive distinguishers. 

Recently, Iwata et al.^ proved that the five round MISTY-type transforma- 
tion was super-pseudorandom and Gilbert and Minier|^ showed that the four 
round MISTY-type and three round dual MISTY-type transformations were 
pseudorandom and the five round MISTY and dual MISTY-type transforma- 
tions were super-pseudorandom. These two results included some parts of ours, 
however ours is obtained found independently and our results about the pseu- 
dorandomness of the 3GPP block cipher KASUMI is new. 

2 Preliminaries 

2.1 Definitions 

Let Im denote the set of all m-bit strings and ilm be the set of all permutations 
from Im to itself where m is a positive integer. That is, 

■Gm = {tt : /rn ^ -Im I TJ" is a bijection} . 



Definition 1 flm is called a TPE(truly random permutation ensemble) if all 
permutations in fim are uniformly distributed. That is, for any permutation tt G 
f2m, -Pr(Tr) = 2 ^. 

We consider the following security model. Let T> be computationally un- 
bounded distinguisher with an oracle O. The oracle O chooses randomly a per- 
mutation 7T from fim or from a permutation ensemble C For an m-bit 
block cipher, Tm is the set of permutations obtained from all the secret keys. The 
purpose of the distinguisher T> is to distinguish whether the oracle O implements 
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Definition 2 Let T> be a distinguisher, Qm be a TPE, and i'mfci fim) be a 
permutation ensemble. The advantage Advx> of the distinguisher T> is defined by 

Adv-D = \p^”' - p'^^ I , 



where 

pOm _ outputs 1 \ O ^ f2m) 

and 

p'i'm _ outputs 1 \ O ^ 'Em) ■ 

Assume that the distinguisher T> is restricted to make at most poly(rn) queries 
to the oracle O, where poly{m) is some polynomial in m. We call I? is a pseudo- 
random distinguisher if it queries x and the oracle answers y = 'x{x), where tt is 
a randomly chosen permutation by O. We say that I? is a super-pseudorandom 
distinguisher if it is a pseudorandom distinguisher and also allowed to query y 
and receives x = 7r“^(t/) from the oracle O. 

Definition 3 A function h : N R is negligible if for any constant c > 0 and 
all sufficiently large m G N, 

h(m) < — . 



Definition 4 Let Tm be an efficiently computable permutation ensemble. We 
call Tm is a PPE(pseudorandom permutation ensemble) if Advx> is negligible for 
any pseudorandom distinguisher T>. 



Definition 5 Let Em be an efficiently computable permutation ensemble. We 
call Em is a SPPE (super-pseudorandom permutation ensemble) if Advx) is neg- 
ligible for any super-pseudorandom distinguisher T>. 

In Definition 4 and 5, a permutation ensemble is efficiently computable if 
all permutations in the ensemble can be computed efficiently. See 0 for the 
rigorous definition of this. It is reasonable assumption that Em is an efficiently 
computable permutation ensemble if it is obtained from an m-bit block cipher. 
Hence we assume that any permutation ensemble obtained from a block cipher 
is efficiently computable. Throughout this paper, we consider a non-adaptive 
distinguisher which sends all the queries to the oracle at the same time. 



2.2 Some Basic Lemmas 

Before we proceed to the main results, we state simple but useful lemmas. 

Lemma 1. Let tt be a permutation chosen in a TPE Qm- Then for any x,y G 
Im, Pr{TT{x) = y) = ^. 



Pseudorandomness of KASUMI 



63 



Proof. The assertion is straightforward since 



Pr{TT{x) = y) 



#{7T € Qrn \ 7t(x) = y} 



(2™-l)! 1 



□ 



Lemma 2. Let tti and 7T2 he two permutations independently chosen from a 
TPE Qrn- Then for any xi, X 2 , y G Im, 

Pr (7Ti(xi) 0 7T2(x2) =y) = ^ , 

where 0 denote the bitwise exclusive-or. 

Proof. Let P be the event of 7 Ti(xi) 07T2(x2) = y and Ai be the event of 7 Ti(xi) = 
iCi for 1 < t < 2™, where Im = {w^i, • • • , W 2 «^}. Then I2m = is a disjoint 

union and 



Pr{P n Ai) = Pr{TTi{xi) 0 7T2(x2) = y, tti{xi) = wf) 

= Pr{TTi{xi) = Wi) ■ PrfK 2 {x 2 ) = y®Wi) , 



since tti and 7T2 are independently chosen. Hence by Lemma 1, we obtain that 

2 "* 

Pr{P) = ^ Pr{P n A,) 

i=l 




Lemma 3. Let tt be a permutation chosen from a TPE [2m- Then for any xi yf 

X2,y G Im, 



Pr{n{xi) 0 7t(x2) = y) 



2^ if , 

0 otherwise. 



Proof. Let P be the event of 7 t(xi) 07t(x2) = y and Ai be the event of 7 t(xi) = Wi 
for 1 < t < 2™, where Im = {wi, • • • , r<; 2 ”‘}- If 2 / = 0, Pr{P) = 0 since xi yf X 2 
and 7T is a bijection. So we consider the case of y yf 0. Observe that 



Pr{P n Ai) = Pr{n{xi) 0 7t(x2) = y, n{xi) = Wi) 

= Pr(7r(xi) = Wi, 7t(x2) = y®Wi) 

( 2 ™ - 2 )! 1 
“ 2 ™! ~ 2 ’”( 2 ™ - 1 ) 

Thus if 2 / yf 0, we obtain that 

Pr(P) = V Pr(P n Ai) = 2™ ^ = — — . 

^ ^ ^ ' Qrn^m Qrn ^ 

□ 
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Lemma 4. Let tti and tt 2 be two permutations independently chosen from a 
TPE Qrn- Then for any a, b, c,d,y G Im, such that a ^ b and c ^ d, 



Pr (tti (a) 0 7Ti (6) 0 7T2 (c) 0 7T2 (d) = y) < 



1 

2m-l 



for m > 2 . 



Proof. Let P be the event of 7Ti(a) 0 7 Ti(&) 0 7T2(c) 0 7T2(d) = y and Aj be the 
event of 7Ti(a) 0 7 Ti(6) = Wj for 1 < j < 2 ™, where Im = {wi, • • • , 1^2"* }• Then 
by Lemma 3 , we obtain that 



Pr{r n Aj) = Pr(7Ti(a) 0 7 Ti(&) 



< 



2 ™ - 1 



Wj) ■ Pr(7T2(c) 0 7r2(d) =2/0 Wj) 



Therefore 



Pr(P) = ^Pr(PnA,) 
i=i 




< 



1 

2m-l 



for m> 2 . 



□ 

3 Pseudorandomness of the MISTY-Type Transformation 

Matsui 0 introduced another structure of block ciphers with provable security 
against differential and linear cryptanalysis which was different from Feistel- 
type. This structure was applied to the block cipher MISTY[ 7 | and KASUMI^ 
later, so we call this as MISTY-type transformation. In this section we examine 
the pseudorandomness of the MISTY-type transformation. 

Definition 6 For any n-bit permutation f € 2 n-bit MISTY-type permuta- 
tion Mj S I22n is defined by 

M/(L, P) = (P, /(L) 0 P) , where L,R Gin- 



Definition 7 For any n-bit permutation g G I 2 n, 2 n-bit dual MISTY-type trans- 
formation DMg G i?2n is defined by 

DMg(P, P) = {g{L 0 P), P) , where L,R G In ■ 

Note that DM^-i is the inverse permutation of M/. Sakurai and ZhengjTT!] 
showed that M/3 o o was not a 2 n-bit PPE though each fi is n-bit PPE. 
We show that o M/3 o o is a 2 n-bit PPE under the assumption 
that each fi{i = 1 , 2 , 3 , 4 ) is an n-bit PPE. 
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Theorem 1 If fi, fi, fa, and fi are independently chosen from an n-bit PPE, 
then the four round MISTY-type transformation o M /3 o M /2 o is a 
2n-bit PPE. 

Proof. Without loss of generality, we assume that ffs are independently chosen 
from the TPE Let <p 2 n be the set of all permutations over l 2 „ obtained 
from o M/j o My 2 o M/j and the i-th round output of this permutation is 
defined by (Li,Ri) for i = 1,2, 3, 4 where (L,R) is the 2n-bit input. That is, 
{Li,R,) = {Mf,o...oMf,){L,R). 

We assume that the distinguisher T> makes t calls to the oracle O. In the 
i-th oracle call, V sends a query to O and receives the corresponding 

output = 7 r(Lb), where tt is the randomly chosen permutation 

by O from 122 n or E 2 n- 

Let Al denote the event that L^\ • • • , are all distinct and denote 
the event that R^\--- ,R^'^ are all distinct. If Al occurs, then we can see 
that are completely random since L 4 ^ = faiL't'’) ® ^ 2 *^ the 

outputs of fa are completely random. Similarly, if Ar occurs, then r!^ \ • • • , 
are completely random. Therefore, if and A^ occur, then Adv-u is bounded 
above as follows: 

Adv-D < 1 - Pr{AL PAr)< Pr{L^ = 4^^) + Y = ^ 2 ^^) • 

Now we estimate Pr(Lb^ = L^) Pr^R^^ = ^^r any 1 < i < j < t. 

Fix ^ (pi®, pi®) arbitrarily. We have the following three cases. 

Case 1 : Pib ^ i^U) and pib = pi® = Pq. Observe that = /i(pib) 0 

and = /i(pi-®) 0 Pg. Then we obtain by Lemma 3 that 

Pr(P« = 4 ®) = Pr(/i(p(b) = ^ 

since fi is a truly random permutation. By similar process we also obtain that 

Pr(P« = 4®) < . 

Case 2 : pib = i^U) = 0 ^ and pib ^ RiP . In this case it is easy to see that 
Pr(P^b ^ ^(®) ^ = p(®) = 0 

and by Lemma 3, 

Pr(P^b ^ 41 )) ^ Pr(/ 2 (pbi) 0 f2{R^P) = P^) 0 P^®) 

I 

< , 

- 2« _ I ’ 



since /2 is a truly random permutation. 
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Case 3 : ^ and ^ Observe that by Lemma 3, 

Pr(L^*^ = = Pr(/i(L«) 0 

1 

< 

“ 2 " - 1 



and by Lemma 4, 

Pr{Ri"^ = Ri^^) = Pr(/i(i(*)) © © /2(P^*^) © f2{R^^'>) = 

< — r for n > 2 . 

2"-i “ 

Hence, for any case, 

Pr(L« = 4^^) < and Pr(P« = 4^^) < ^ 

hold for n > 2. Therefore we obtain that for all n > 2, 



Adv-D < 



2 



1 t{t-l) 1 

2" - 1 2 2”-i ^ 2" 



Consequently, Advv is negligible, since t = poly{n). □ 

Theorem 2 The two round dual MISTY-type transformation DM /2 oDM/^ is 
not a 2n-bit PPE though f\ and /2 are chosen from the n-hit TPE f2„. 



Proof. Let T 2 n be the set of all permutations over l 2 „ obtained from DM /2 ° 
DM /j . Consider a distinguisher T> such as follows; 

1. V chooses two queries {LAI^rA)'^ and such that pA = rA) = Q 

and lA = rA = S^0. 

2. T> sends these two queries to the oracle O and receives the corresponding 
answers {Alf^\YA) and {Y^^\yA) from the oracle. 

3. V outputs 1 if and only if = Y^\ 

If the oracle implements the TPE l? 2 n, then for any fixed xA = (pAf pW) 
and xA = (pA ^ RA)f we obtain that 



Pr{T> outputs I \ O ^ ^ 2 n) 



#{7T e C2n I = 7r(x<^^)|fl} 

*{^2n) 

22 ". ( 2 "- 1 ) . ( 22 " - 2 )! ^ 1 

22n] — 2" ’ 



where x\r denotes the right half n-bit of 2n-bit vector x. 

On the other hand, if O implements 'f' 2 n, then for xA = (0,0) and xA = 
(S,S), 

Pr{T> outputs 1 I O ^ p 2 n) = 1 , 
since = gi(0) = Y^\ 
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Consequently we obtain that 

Adv-D = I > 1 — ^ , 



which is non-negligible. □ 

Theorem 3 Let g\, g2, ga be independently chosen from an n-bit PPE. Then 
the three round dual MISTY-type transformation DMgg o DM32 ° DMg^ is a 
2 n-bit PPE. 

Proof. It suffices to show the assertion under the assumption that gi, 52, gs 
are independently chosen from the n-bit TPE Let 'p2n be the set of all 
permutations over /2„ obtained from DMgj o DMg2 ° DMg^ and the i-th round 
output of this permutation is defined by for i = 1,2,3 where (L,R) is 

the 2n-bit input. 

We assume that the distinguisher T> makes t calls to the oracle O. In the 
i-th oracle call, T> sends a query to O and receives the corresponding 

output where tt is the randomly chosen permutation 

by O from Q2n or E2n- 

Let A be the event that 0 0 are all distinct. If A 

occurs, then we can see that ^3^^ • • • , ^3*^ are completely random since 

=33(4'^ 0 92(4*^0 

and the outputs of (72 and g^ are completely random. Similarly, we can see that if 
A occurs, then Rj^^\ • • • , 4*^ completely random. Therefore, if A occur, 

then Adv-D is bounded above as follows: 

AdvD < 1 — Pr{A) < Pr{Bij) , 

i<i<j<t 

where Bij is the event of 0 R^f^ = 0 ■ 

We estimate the value of Pr{Bij) for any fixed 1 < i < j < t. We have the 
following three cases as in the proof of Theorem 1 . 

Case 1 : and = R^^^ = Rq. Observe that = gi{L^^'> 0 Rq) 

and 0 Ro)- Then we obtain by Lemma 3 that 

Pr{L^^ 0 Rf = 0 4^^) = Pr{gi{L^^ 0 -Ro) 0 0 Ro) = 0 

1 

< , 

- 2 " - 1 ’ 

since g\ is a truly random permutation. 

Case 2 : pAl = = Lq and yf R^^\ We can see easily that 



0 4^ = 0 4^) = Pri.9ii.Lo 0 0 <?i(Lo 0 = 0 ) = 0 . 




68 



Ju-Sung Kang et al. 



Case 3 : ^ and ^ If 0 then 

Pr(Lf © Rf> = l!f © Rf>) = Pr(lJ^'^ = = 0 . 

Otherwise, by Lemma 3, we obtain that 

Pr{Lf> ®Rf = © 4 ^'^) 

= Pr{gx{L^'^ © © 51 



1 

< . 

“ 2" - 1 

Therefore for any case, we obtain that Pr(Bij) < ^ . Thus 



Adv-D < 



2 




e-t 

2n+l _ 2 ’ 



which is negligible, since t = poly(n). □ 

From Theorem 1 and 3, we obtain the following result. 

Theorem 4 If fi, f 2 , fa, and fi are independently chosen from an n-hit PPE, 
then the four round MISTY-type transformation o Mjj o o M is a 
2n-bit SPPE for any non-adaptive distinguisher. 



4 Pseudorandomness of KASUMI 

In this section we investigate the pseudorandomness of the 3GPP algorithm 
KASUMI0. KASUMI is a block cipher that forms the heart of the 3GPP 
confidentiality and integrity algorithms. KASUMI is based on the block cipher 
MISTYl which is provable secure against differential and linear cryptanalysis. 
We can classify the permutation of KASUMI into the following three stages; 

— The overall permutation of KASUMI is a 64-bit permutation composed of 
the eight round Feistel permutation with the two round permutation FO 
and FL. 

— FO function is a 32-bit permutation composed of the three round MISTY- 
type transformation with the round permutation FI. 

— FI function is a 16-bit permutation which is composed of the four round 
unbalanced MISTY-type transformation obtained from 7-bit S-box S7 and 
9-bit S-box S'9. 

By the similar argument as the proof of Theorem 1, we can easily obtain the 
fact that FI function is a 16-bit PPE since S7 and 59 are bijective. On the 
other hand we know that FO function is not a PPE, so it doesn’t seem that 
the three round Feistel permutation of KASUMI is a PPE as the Luby-Rackoff 
cipher. Since the pseudorandomness of KASUMI is guaranteed by UO function 
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mainly, we omit FL function in this paper. On the reasonable assumption that 
FI function is a PPE, we show that the four round KASUMI is a PPE. 

We define two unbalanced MISTY-type transformations to examine accu- 
rately the pseudorandomness of FI function. 

Definition 8 Let n and m he two positive integer sueh that m < n. Then for 
any n-bit permutation f and m-bit permutation g, two (n -I- m)-bit unbalanced 
MISTY-type transformation M/ G I2n+m and G I2n+m are defined by 

Mf{L, R) = {R, f{L) ®R)eI^x In, V(A, i?) G /„ x 

and 

M'g{L, R) = {R, g{L) 0 If) G /„ x , V(L, i?) G I™ x , 

where for any n-bit vector x, x' denotes the m-hit value obtained by discarding 
the n — m most-significant end and for any m-bit vector y, y denotes the n-hit 
value obtained by adding n — m zero bits to the most-significant end. 

Theorem 5 Let for any positive integer n and m such that m < n, fi, fs G I2n 
and f 2 , fi G Tim be independently chosen from two n-bit and m PPEs, respec- 
tively. Then the four round unbalanced MISTY-type transformation oM/j o 
o M/j is an (n 0 m)-bit PPE. 

Proof. By the similar process as the proof of Theorem 1, we can obtain that 

ADvt> < it" - t) [2^+1 _ 2 + • 

Then the assertion follows easily, since t is a polynomial in n and m. □ 

From Theorem 5, it becomes a reasonable assumption that PI function of 
KASUMI is a PPE. In order to investigate the pseudorandomness of KASUMI, 
we use a simplified figure of KASUMI. The four round simplified KASUMI is 
illustrated in Figure 1, where x = {x\,X 2 ,x^,X 4 ) denotes a 4n-bit input value, 
w = {wi,W 2 ,W 3 „Wi), y = {yi,V 2 ,yz,Vi), and z = {zi,Z 2 ,zz,Zi) denote corre- 
sponding outputs of the two, three, and four round KASUMI, respectively. Each 
of Xi, Wi, yi, and Zi is an n-bit value. We first prove the following theorem. 

Theorem 6 The three round simplified KASUMI is not a Yn-bit PPE though 
fi’s(i = 1, ■ ■ ■ ,9) of Figure 1 are independently chosen from an n-hit PPE. 

Proof. Let '?4„ be the set of all permutations over I^n obtained from the three 
round simplified KASUMI. Consider a distinguisher T> such as follows; 

1. T> chooses four 4n-bit queries x'Af x^^\ x^^\ and x^^^ such that 

X^^^ = (0,0,X3,X4) , x^‘^'> = {xi,9,X3,Xi) , 

= (0,X2,X3,X4) , X^'^^ = (xi,X 2 ,X 3 ,X 4 ) , 

where xi yf 0 yf X2 and X3, X4 are fixed n-bit values. 
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Xi X 2 



X, X4 




w 1 w • 



W 3 W 4 




Fig. 1. Simplified four round KASUMI 



2. V sends these four queries to the oracle O and receives the corresponding 

answers = 1,2, 3, 4) from the oracle. 

3. V outputs 1 if and only if 

© ^ 2 ^^^ © ^ 2 ^^^ = 0 . 



If the oracle implements the TPE 124 „, then we obtain that 



Pr{V outputs 1\0 ^ 174„) < 



24n ^2“^^ 



1 )( 24 «. _ 2 ) 23 ’^( 2 '‘" 

24ra| 



23n I 

24" _ 3 - 2"-i 



4)! 
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On the other hand, if O implements then for = (0, 0, X3, X4), = 

(xi, 0, CC3, X4), = (0, X2, X3, X4), and x^^^ = (xi, X2, X3, X4), we can see from 

Figure 1 that the corresponding 2n-bit inputs of the second round are 

(Fi(x3,X4)|i,Fi(x3,X4)|fl) , (F'i(x 3,X4 )|l,Xi 0 Fi(x 3,X4 )|_r) , 

(X2 0 Fi(x3,X4)|l,Fi(x3,X4)|_r) , (xi 0 Fi (x3 , X4) | L , X2 0 Fi(x3,X4)|fl) 

respectively, where Fi = M/3 o o and (x|l,x|_r) denote the left and 
right n-bit block of 2n-bit value x. Thus we obtain by the similar argument of 
Sakurai-Zhengfrnj that 

0 j/f ^ 0 0 yi^'^ = 0 



with probability 1. 

Consequently we obtain that 

Adv-D = I > 1 - ) 

which is non-negligible. □ 

Theorem 7 If fi ’s(i = 1, 2, • • • , 12j m Figure 1 are independently chosen from 
an n-bit PPE, then the four round KASUMI is a An-bit PPE. 



Proof. Assume that ffs are independently chosen from the TPE i7„. Let F4n 
be the set of all permutations over I^n obtained from the four round KASUMI. 
Suppose that the distinguisher T> makes t calls to the oracle O. In the i-th oracle 
call, V sends a 4n-bit query x^*) = (x^*\ X2*\ Xg \ X4 to O and receives the 
corresponding output 






7{i) 



W Ji) Ji) 



)) 



where tt is the randomly chosen permutation by O from 12 4 „ or 

Let Aiu^ denote the event that the j-th block of the outputs of two round 
KASUMI are all distinct for j = l,2,3,4(see Figure 1). If A^^ 

occurs, then we can see that • • • , are completely random since the out- 
puts of /s are completely random. Furthermore we also see that z^^\ • • • , z^'^ are 
completely random because the outputs of /lo and /12 are completely random. 
Similarly, if occurs, then • • • , z[*'^ and z{^\ • • • , z^^ are completely ran- 
dom due to frifg) and /n, respectively. Therefore, if A „,3 and A^j^ occur, then 
Advj) is bounded above as follows; 

Adv-D < l-T’c(Au, 3 nA„^) < ^ Pr{w''^^ = ^ Priw^'’ = w^'’) . 



We estimate the summands Pr{w^^ = and Pr{w^f^ 

1 < * < J < L Fix x^*) = (xg*\ X2*\ Xg*\ X4 ^ ) and x^^'^ = (x 
arbitrarily. We separate the following four cases. 



U) 

1 



for any 

) 



V4 

JA 

! X2 



UA JA 
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Case 1 : ^ Consider the path xi ^ /s ^ w^. Then and 

behave randomly since /s is a truly random. So we obtain that Pr(w^'^ = w^'^) = 
Similarly we also obtain that Pr{w^'^ = ^ by considering the path 

xi ^ m- 

Case 2 : ^ x^^ . Consider the path X2 ^ fi ^ fe ^ W3. Then and 

are completely random. Thus Pr(w^^ = w^'^) = ^ holds. For w^, consider 
the path X2 ^ fi ^ 1^4, then we obtain that Pr{w^f^ = w^'^) = 

Case 3 : ^ x^^\ Consider the path x^ ^ f2 ^ /a ^ ^ Wi- Then 

we can see that rcg ' and rUg ' are completely random. By considering the path 
X3 ^ f2 ^ fb ^ wa, also we know that and are completely random. 
Hence we obtain that 

Pr{w^3^ = = wi^^) = ^ . 

Case 4 : ^4^ ^ x^\ In this case by considering the two paths X4 ^ /i ^ 
Wa and xa ^ fi ^ /a ^ fe ^ W3, we obtain that 

= w^3^^) = Pr(wi"^ = ^ 

holds as the above three cases. 

Therefore, for any case, we obtain that 

Pr(u;^*^ = w^-’^) = Pr(w^'^ = = ^ . 

This implies that Advz> < which is negligible since t = poly{n). □ 

Since the pseudorandomness of the inverse transformation of Feistel-type is 
very similar to that of Feistel-type transformation, we get also the following fact. 

Corollary 1. If fi ’s(i = 1, 2, • • • , 12j m Figure 1 are independently chosen from 
an n-bit PPE, then the four round KASUMI is a An-bit SPPE for any non- 
adaptive distinguisher. 

5 Conclusion 

We examined the pseudorandomness of the (unbalanced) MISTY-type and dual 
MISTY-type transformations, and by applying these results, also investigated 
the pseudorandomness of the 3 GPP block cipher KASUMI. We showed that the 
four round (unbalanced) MISTY-type transformation is a pseudorandom permu- 
tation ensemble. We also proved that the three round KASUMI is not a pseudo- 
random permutation ensemble but the four round KASUMI is a pseudorandom 
permutation ensemble. In this paper we provided simplified probability-theoretic 
methods for non-adaptive distinguishers. By applying these proving methods to 
another block ciphers, we expect to obtain easily some useful results related to 
the pseudorandomness. 
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Abstract. We show how to use ideal arithmetic in the divisor class 
group of an afhne normal subring of K[X,Y] generated by monomials, 
where K is a field, to design new public-key cryptosystems, whose secu- 
rity is based on the difficulty of the discrete logarithm problem in the 
divisor class group of that integral domain. 



1 Introduction 

The security of many cryptographic systems has been based on the difficulty 
of several number theoretic problems. Prominent examples are the factoring 
problem for integers PM and the discrete logarithm problem (DLP) in the 
multiplicative group of a finite field HSl, in the class group of an order of a 
quadratic field in the group of points on an elliptic curve over a finite field 
m in the group of points on a hyperelliptic curve over a finite field and 
others. There is, however, no guarantee that those problems remain difficult to 
solve in the future. On the contrary, as the experience with the factoring problem 
shows, unexpected breakthroughs are always possible. Therefore, it is important 
to design cryptographic schemes in such a way that the underlying mathematical 
problem can easily be replaced with another one. 

This paper shows how to use ideal arithmetic in the divisor class group of an 
affine normal subring of K[X, Y] generated by monomials, where AT is a field, to 
design new public-key cryptosystems, whose security is based on the difficulty of 
the discrete logarithm problem in the divisor class group of that integral domain. 
We believe that our DLP is much more difficult than that of the class group of 
an order of a quadratic number field. 

2 Mathematical Background 

Let R be an integral domain with quotient field K. If a is an integral ideal of 
R, then any subset of K of the form ^a, where d is a nonzero element of R, is 
called a fractional ideal of R. If a and 6 are fractional ideals, then their product 
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ab = { ^ a/3 I a e a, /3 e 6} 

finite 

is again a fractional ideal of R. The set T{R) of all nonzero fractional ideals of 
R forms a commutative semigroup with identity R. A fractional ideal a is said 
to be invertible if ob = i? for some fractional ideal b of R. Clearly every nonzero 
principal fractional ideals are invertible. The (residual) quotient of a over b 

a : b = {a G AT I ab C a} 

is a fractional ideal. For a fractional ideal o of an integral domain R with quotient 
field K, Uv is defined as the fractional ideal R : {R : a) = A fractional 

ideal a is called a divisorial ideal or u-ideal if a„ = o. The set of divisorial 

ideals is a commutative semigroup with identity R under the u-product a * 
b = (ob).i;. Of course, T>{R) is a group if and only if R is completely integrally 
closed. In this case, the quotient group Cl{R) := V{R)/V{R) is called the divisor 
class group of R, where V{R) is the subgroup of which consists of all 

nonzero principal fractional ideals of R. Note that if i? is a Dedekind domain 
(equivalently, a one-dimensional Krull domain), for example, a maximal order of 
a quadratic number field, then the definition of the divisor class group is equal to 
that of the usual class group. Elements of Cl{R) will be denoted by [a]. Clearly, 
if b G [a], then b = aa for some a G AT. In this case we say that a and b are 
equivalent, written a ~ b. 

Let ai, . . . , Os be elements in an integral domain R. Then we set 

S 

(ai, ...,as)= I /3i, . . . ,/3s G A}. 

i=l 

Note that (ai, . . . , Us) is an ideal of R. We will call (ai, . . . , as) the ideal gen- 
erated by «i, . . . , Og. We say that an ideal a is finitely generated if there exist 
ai, ... ,as G R such that a = (ai, . . . , as), and we say that ai, . . . , is a basis 
of a. Recall that an integral domain R is said to be Noetherian if it satisfies 
the ascending chain condition on ideals. It is well-known that R is Noetherian if 
and only if every ideal of R is finitely generated. Any unexplained notation or 
terminology is standard like in [S|. 

The following results are easy to prove (or well-known) and we will use them 
frequently without mention. 

Proposition 1. Let R be an integral domain with quotient field K and let a, b, 
and c be nonzero fractional ideals of R. Then 

(1) (i) (a)v = (a) for each 0 yf a G AT; a C at,. 

(a) If aC b, then Pt, C b„. 

(vii) (aa)t, — aUt,, (cit,)t, — cit,. 

(2) (at;b)t, = (cit,bt;)t, = (ab)t,. 

(3) (a : b) : c = a : be. 

(4) If a is divisorial, then o : b = a : bt,. 

(5) If a is invertible, then ab : c = a(b : c) and b : oc = a~^(b : c). 



76 



Hwankoo Kim and SangJae Moon 



Recall that an integral domain R is called a Mori domain if it satisfies the 
ascending chain condition on divisorial ideals. Clearly the class of Noetherian 
domains is contained in that of Mori domains. 

Proposition 2. Let R he an integral domain with quotient field K . 

(1) R is completely integrally closed if and only if a \ a = R for each nonzero 
fractional ideal a of R. 

(2) R is a Krull domain if and only if it is a completely integrally closed Mori 
domain. 

(3) If R is completely integrally closed and a and b are divisorial, then a^b if 
and only if a : b is a principal fractional ideal. 

Proof. (1) and (2) are well-known. (3) Assume that a ~ 6. Then a= ab for some 
a G K. Thus a : b = ab : b = a{b : 6) = aR since R is completely integrally 
closed. Conversely, assume that a : 6 is fractional principal, say, a : 6 = fIR, 
where (3 G K. Then we have a = a : i? = a : = a : 66”^ = (a : 6) : 6“^ = 

fIR : = (3{R : = /36„ = fib, since R is completely integrally closed and 

a is divisorial. Thus a ^ 6. 



3 Computational Aspects 

Let K be any field and let K[x \, . . . , Xm] be a polynomial ring. Denoted by 

T’” = {xf I s. €N,z = l,...,n} 

the set of power products. Sometimes we will denote xf^-- ■ xf^ by x®, where 
s = (si, . . . , Sm) G M”. By a term order (or monomial order) on T™ we mean a 
total order < on T*” satisfying the following two conditions: 

(i) 1 < for all X® G T™,x^ ^ 1; 

(ii) if x^ < X*, then x^x" < x‘x", for all x" G T™. 

Note that every term order on T™ is a well-ordering [Q Theorem 1.4.6]. 

To introduce the concept of a Grobner basis for the ideal, we fix some no- 
tation. First we choose a term order on K[xi, . . . ,Xm]- Then for all 0 yf / G 
K[x \, . . . , Xm], we may write 

/ = OiX®^ -f 02X®^ -I h arX®", 

where 0 G AT, x®‘ G T™, and x®i > x®^ > • • • > x®''. We will always try to 
write our polynomials in this way. We define: 

• lp(/) = ths leading power product of /; 

• lc(/) = oi, the leading coefficient of /. 



We also define lp(0) = lc(0) = 0. 
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Definition 1. A set of nonzero polynomials G = {g±, . . . ,gt} contained in an 
ideal a of the polynomial ring over a field, is called a Grobner basis for a if and 
only if for all f G a such that f ^ 0, there exists i S {1, . . . ,t} such that lp{gi) 
divides lp{f). 

Buchberger’s Algorithm to compute Grobner bases is given in 0 Algorithm 
1.7.1] and many computer algebra systems including Macaulay 2 0 implement a 
version of Buchberger’s Algorithm for computing Grobner bases. It is well-known 
that if G = {gi, . . . ,gt\ is a Grobner basis for the ideal a, then o = {gi, . . . , gt) 
P Gorollary 1.6.3]. 

Definition 2. A Grobner basis G = {gi, . . . ,gt} is said to be reduced if, for all 
i, lc{gi) = 1 and no nonzero term in gi is divisible by any lp{gj) for any j ^ i. 

Theorem 1. P Theorem 1.8.7] Fix a term order. Then every nonzero ideal a 
has a unique reduced Grobner basis with respective to this term order. 

Let R be an integral domain and let a and b be integral ideals of R. Then 

a 6 = {r e i? j rb C a} 

is also an ideal of R. 

We show that if i? = K[xi, . . . ,Xm] is a polynomial ring over a field K, a 
(Grobner) basis for the ideal a : 6 (resp., a«) can be computed using a computer 
algebra system. The following useful proposition relates the quotient operation 
to the other operations: 

Proposition 3. Let a, a^, b, bi and c be ideals in an integral domain R for 1 < 
i < r. Then 



r r 



P Uj) 6 = P(a* \R 6), 


(1) 


2=1 2=1 
r r 

■R -R 


(2) 


2=1 2=1 

(a :_R 6) :_R c = a -.r 6 c . 


(3) 



The actual computation can be carried out as follows: 

Proposition 4. d Proposition 2.2.1] Let R be an integral domain with quo- 
tient field K and let a = (oi, . . . , am) and b be integral ideals of R. Then: 

i? : a = ((oi) :_R (o2, . . . ,am))a]"^ (4) 

m 

6 : a = ( Pi 6(«i • • • Oi • • • am)) (oi • • • 

2=1 



( 5 ) 



78 



Hwankoo Kim and SangJae Moon 



Let R = K[x \, . . . , Xn] be a polynomial ring over a field K.liQ ^ f ^ R and 
a an ideal of R, we often write a :r f instead of a :r (/). Note that a special 
case of equation (2) is that 



a-R = f]{a:R f^). ( 6 ) 

i=l 

We now turn to the question of how to compute generators of the ideal quotient 
a'.Rb given generators of a and 6. The following observation is the key step. 

Theorem 2. |3 Theorem 4.4.11] Let a be an ideal and g an element of R = 
K[x\, . . . ,Xn]- If {hi , . . . , hp} is a basis of the ideal aC]{g), then {hi/g, . . . , hp/g{ 
is a basis of a :r (g). 

• Theorem 121 together with an algorithm for computing intersections of ideals ^ 
Section 2.3] and equation (6), immediately leads to an algorithm for computing 
a basis of an ideal quotient a 6 and hence a basis of the divisorial closure 

of a by equation (4). 

• Equation (5), together with an algorithm for computing intersections of ideals, 
immediately leads to an algorithm for computing a basis of an ideal quotient 

6 : a 

Let R be an affine normal(= integrally closed) subring of T = K[X,Y] 
generated by monomials with R C T integral, where K is a, field. Then R is 
isomorphic to either T or R„j := . . . , F”], 

where 0 < j < n, gcd(j, n) = 1, and m denotes the smallest representative 
in N of the congruence class of m modulo n |21 Theorem 2.5]. Note that Rnj 
is a two-dimensional Noetherian Krull domain which is x Z+-graded by 
degX*F-l = (i,j). The following result is due to D. F. Anderson |3 Theorem 
4.4]. 

Theorem 3. Let R„,j := AT[X”, AF^ A^F^, . . . , A”-iF(”-bf , F"], 
where K is a field, 0 < j < n, gcd(j, n) = 1, and m denotes the smallest 
representative in N of the congruence class of m modulo n. Then Cl{Rnj) = 
Z /nZ. 

Let 

Pi = (A”,AF^A2F2J,...,A”-iF(’"-ib) 

and 

P2 = (AF^A2F2^...,A”-iF(”-bf,F”). 

Then from the proof of Theorem El we know that Cl{Rnj) can be generated by 
either [pi] or [p 2 ]. 

We do not know whether it is possible to compute a Grobner basis of a 
nonzero ideal of A[A", AF-^ , A^F^-^ , . . . , A"“^F*^"“^b ^ y"]. However, at least 
we can compute a (reduced) Grobner basis of a nonzero ideal of the following 
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special ring: Rn,i = K\X'^^ XY^ F”], where iC is a computable field, for example, 
Q or a finite field. Indeed, it is not difficult to see that Rn,i = K[x, y, z\/{z^—xy), 
where x,y, and z are indeterminates. Since we can compute this isomorphism 
using a computer algebra system, we may assume that Rn,i = K[x, y, z]/ {z^ — 
xy). An explicit method for computing the sum and product operations in the 
quotient ring Rn,i is given in ^ section 5.3]. 

Since most algebraic properties of the ideal are easily (i.e., in polynomial 
time) deduced from a Grobner basis, the complexity of Grobner basis algorithm 
is an important problem. In iia,F. Winkler gave an upper bound for the degrees 
of the polynomials which appear during the computation of a Grobner basis of 
an ideal in K[x^ y, z]. This bound is ( 8 D-I- 1)2'^, where D (resp. d) is the maximal 
(resp. minimal) degree of the members of the initial system of generators. How- 
ever, as mentioned in m, this minimal degree usually drops during the Grobner 
basis computation, thus giving better and better bounds for the actual result of 
the computation. 

In the next section, we show that each divisor class of divisorial ideals of 
Rn,i contains a “representative” ideal. Indeed, its proof immediately leads to an 
algorithm for finding such a representative ideal. This can then be used as the 
basis of our new public- key cryptosystems. 

4 The New Cryptosystem 

Let a be a nonprincipal divisorial ideal of Rn,i- Then a = a/{z^ — xy) for 
some ideal a of K[x,y,z]. Thus by Theorem Q] there exists a unique reduced 
Grobner basis {gi, . . . ,gm}- Now we can compute the greatest common divisor 
of gi,. . ,,gm as in P section 2.3]. Let g = gcd(( 7 i, . . . ,gm)- Then for each i we 
have gi = gg[ for some g) G K[x,y,z\. Set a' = {g [, . . . , 5 ^). Then {g[, . . .,g'^} 
is the unique reduced Grobner basis for a'. Note that gcd(gi, . . . , g]„) = 1. We 
define Red{d) = 0 ! j {z^ — xy) and we say that a is reduced if Red{d) = a. Note 
that Red{d) is a nonprincipal divisorial ideal of Rn,i and [Red{d)] = [a]. Now 
we show that there exists only one reduced ideal in every divisor class. To do 
this end, it suffices to show that if 6 is a nonprincipal divisorial ideal of Rn,i 
such that 6 G [a], then Red{d) = Red(b). Let 6 C K[x, y, z] be an ideal such that 
6 = b/ (z'^—xy). Then again by TheoremPthere exists a unique reduced Grobner 
basis {hi, . . . ,hi} for the ideal b. Since b G [a], we have b = fa for some /. Note 
that {fgg'i , . . . , fgg'm} is also a reduced Grobner basis for b. By the uniqueness 
of the reduced Grobner basis for b, we have I = m. Let h = gcd(/ii, . . . , hm)- 
Then for each i, hi = hh), where each h) G K[x, y, zj. Let b' = {h{, . . . , h'^). Then 
gcd(/i'i, . . . , h'^ = 1 and i?ed(b) = b' / {z'^ — xy). Note that [hh'i, . . . , hh'^} is also 
a reduced Grobner basis for b. Since {fgg ), . . . , fgg'm} = ■ • ■ > again 

by the uniqueness of the reduced Grobner basis for b, we have fg = hhy the 
uniqueness of the greatest common divisor. Thus {g {, . . . , g'm} = {h'l , . . . , h'm} 
and so a' — b' . Hence Red{d) = Red{b). 
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We identify each divisor class of the divisor class group with the unique 
reduced ideal. Hence we define the operation in the class group as ideal v- 
multiplication followed by reduction, i.e., all arithmetic will be performed with 
reduced ideals. 

The security of our proposed public-key cryptosystems is based on the diffi- 
culty of the DLP in the divisor class group of an affine normal subring of K[X, Y] 
generated by monomials, where itT is a field. We believe that this problem is much 
more difficult than the DLP in the class group of an order of a quadratic field, 
because the ideal {a^)v is “masked” by the operation v. That is, it is also very 
difficult to calculate from 



Discrete Logarithm Problem in Divisor Class Groups. Given divisorial 
ideals a and b, compute x G N such that 

[6] = [a]"^ (i.e.,6 ~ (a"^)„). 



if such an x exists. 



Although we can obtain analogs of well-known public-key cryptosystems 
based on the (original) DLP, we present here only an analog of the ElGamal 
encryption and of the Diffie-Helman key exchange system employing the divisor 
class group of the integral domain Rn.i- 



4.1 Analog of ElGamal 



Let n be any positive integer such that the DLP in Cl{Rn,i) is intractable and 
let a be a reduced ideal of Rn,i such that [a] is a primitive element of Cl{Rn,i)- 
Let b = Red({a°')v). Let m be the plaintext, where m is a reduced ideal of Rn,i- 
For a secret random integer k (1 < k < n), define 

E(m,k) = (ci,C2), 



where 



Cl = i?ed((a*)„) and C 2 = i?ed((m6^)^) . 
For two reduced ideals Ci and C 2 , define 



D(ci,C 2) = i?ed((c2(c?) 




New Public-Key Cryptosystem Using Divisor Class Groups 



81 



Verification. The decryption of the above algorithm allows recovery of original 
plaintext tn since 

DE{m,k) = Z?^i?ed((a^)«), i?ed((tn6*)„)^ 

= i?ed(^((mb'=)„(((/)„)“)-^)J 

= i?ed((m)„) 

= Red{m) 

= m. 

4.2 Analog of the DifRe-Helman Key Exchange 

We now set up a method similar to that of 0| for a secret key exchange. Two 
users Alice and Bob select a positive integer n such that the DTP on Cl{Rn,i) 
is intractable and a reduced ideal a of i?„p. The integer n, the integral domain 
Rn,i, and the ideal a can be made public. 

(1) Alice selects a random integer x and computes a reduced ideal 6 such 
that 

b ^ (a").. 

Alice sends 6 to Bob. 

(2) Bob selects a random integer y and computes a reduced ideal c such that 

c~(a^)„. 



Bob sends c to Alice. 

(3) Alice computes a reduced ideal 6i ^ and Bob computes a reduced 
ideal 62 

Verification. Since 61 ~ ~ ~ ~ 62, Alice 

and Bob have a common secret key 61 =62- 

4.3 Security Aspects 

The security of our proposed public-key cryptosystems is based on the difficulty 
of the DTP in the divisor class group of the integral domain i?„p. For our 
proposed public-key cryptosystems, we can choose any positive integer n and 
any computable field K as a, coefficient ring such that the DTP in Cl{Rn,i) is 
intractable. Thus, to avoid brute force attack, we have to choose a sufficiently 
large positive integer n. We do not know the key size for a secure system yet. 
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In 1 1 41 1 1 1| . a subexponential-time algorithm for computing class groups of 
imaginary quadratic orders in number fields was invented by J. L. Hafner and 
K. S. McCurley and it was shown how to use this algorithm and the index- 
calculus method to calculate discrete logarithms. The improved algorithms for 
computing class groups to simplify the index-calculus algorithm in class groups 
were presented in To the best of our knowledge, there is no subexponential- 

time algorithm for computing discrete logarithm in our divisor class groups. 
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Abstract. We show for the first time how to implement cryptographic 
protocols based on class groups of algebraic number fields of degree > 2. 
We describe how the involved objects can be represented and how the 
arithmetic in class groups can be realized efficiently. To speed up the 
arithmetic we present our new method for multiplication of ideals. Fur- 
thermore we show how to generate cryptographically suitable algebraic 
number fields. Besides, we give a numerical example and analyse our run 
times. 



1 Introduction 

Succesful e-business requires secure authentication and binding communication. 
To reach this goal one uses digital signature schemes. Basically, the public key 
cryptosystems (including the signature schemes) used today in practice are based 
on the following two families of computational problems: 

1. the integer factoring problem and the discrete log problem in finite fields 
(e.g. RSA or DSA) 

2. the discrete log problem in the group of points of an elliptic curve over a 
finite field (e.g. ECDSA) 

But it is absolutely unclear whether these problems remain difficult in the future. 
On the contrary, in the last 15 years there was very big progress regarding 
the development of efficient factoring algorithms and discrete log algorithms for 
finite fields m)- Furthermore, the crypto community found again and again 
algorithms that solve very efficiently the discrete log problem for families of 
elliptic curves over finite fields such that these are useless for cryptography 
IT51l,'-itil rr7] b Therefore, a major task of today’s public key cryptography 
is the search for new computational problems which can be used for 
the construction of secure and efficient public key cryptosystems. 

In [0| the discrete log problem in class groups of algebraic number fields 
{NFDL) was suggested. Recently the root problem was introduced as special 
case of NFDL [Z]: Given a class group Cl of an order of an algebraic number 
field, a prime number p which does not divide the order of Cl, and a group 
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element a, find the pth root of a. The NFDL and the root problem seem to 
be computational problems as desired: The best known algorithms require the 
solution of an index calculus problem and many shortest vector problems in 
lattices. Firstly the complexity is therefore subexponential in the binary length 
of the discriminant and exponentially in the degree of the number field (see 0). 
Secondly solving NFDL hence is independent of the basic problems in public key 
cryptography used today. 

In practice, however, many problems remained to be solved. Since no efficient 
algorithm is known for computing the class number (i.e. the order of the class 
group), the well known signature protocols (such as DSA, ElGamal, RSA) are 
not applicable over number fields. Very recently, modifications of these protocols 
resulted in protocols which can be used in number fields. They were introduced 
and analysed in 13 Q. It was shown why the root problem in class groups of 
algebraic number fields proves difficult. Note that optimized implementations of 
signature schemes over imaginary quadratic number fields (degree of the number 
field is 2) are more efficient than implementations of the RSA signature scheme 
( 0 )- paper we consider number fields of degree > 2. The root problem of 

these number fields is even harder than in the imaginary quadratic case (see [S|). 
But number fields of degree > 2 raise further problems: As far as the arithmetic 
is concerned, deciding equality of ideal classes is far from being trivial. Another 
difficulty arises from the generation of cryptographically suited class groups, 
since in general, class groups of number fields of degree > 2 are very small 
whereas we need large class groups. 

Although approaches to these problems are known in theory, no implementa- 
tion of a cryptosystem based on class groups of algebraic number fields of degree 
> 2 was done so far. In this paper, we describe our first implementation of such 
a cryptosystem (signature scheme). Besides, we explain our new method for the 
multiplication of ideals which leads to a faster signing and verification procedure. 

This paper is organized as follows: 

In section 2 we will explain our representation of the mathematical objects 
and the arithmetic in number fields and class groups. Particularly, we shall ex- 
plain our new method for the multiplication of ideals and describe our imple- 
mentation of equality decision in class groups. 

In section 3, we shall discuss some requirements on cryptographically good 
orders of algebraic number fields. We will suggest instances of cryptographically 
good orders. 

In section 4, we will present the RDSA signature scheme. Besides we shall 
give an explicit example and run times. 

In a final section 5, we shall argue that cryptosystems based on algebraic 
number fields do have the potential to become practical in the future. 

2 Efficient Arithmetic for Algebraic Number Fields 

In the sequel we use the following notation: Let /C be an algebraic number field 
(in the following only called ’’’number field”’) of degree n with signature (r,s) 
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and with generating polynomial /. By ui, . . . , we denote the real embeddings 
and by (Tr+i, , ar+s,crr+s the nonreal embeddings of K. into (D. Let O 

be the maximal order of 1C. (Fractional) ideals are called a, 6 , c, . . . , for prime 
ideals we typically use pi. By Cl and hy h = |C1| we denote the class group and 
the class number of 1C. For an ideal a we denote its equivalence class in the class 
group by [a]. Finally, let A be the discriminant of the number field 1C. For a 
general introduction into the theory of number fields see for instance |^. 

We explain in this section how to represent the mathematical objects that 
we use in our implementation of cryptographic protocols. Some of the material 
was already presented in 12 HI . Furthermore, we describe the basic algorithms we 
need for implementing the cryptographic protocols. Besides, we explain our new 
(faster) method for the multiplication of ideals and how we decide the equality 
of ideal classes. 

2.1 Representation of the Objects 

Representing Nnmber Fields and Orders. The key for representing number 
fields and orders is the need to describe the multiplication of two algebraic 
numbers in the field or the order. So we represent the algebraic number field 
by its generating polynomial /. Computation in the number field then is the 
same as polynomial arithmetic mod /. Therefore, we can represent an algebraic 
number a by a polynomial mod /, i.e. we have 0=3 with d, ai G ZZ. 

Moreover, this implicitely represents the order ZZ\x]/{f) consisting of those 
numbers with denominator d = 1. However, in general we do not want to com- 
pute in this specific order but rather in the maximal order, which cannot always 
be represented in this way. For this reason we additionally store a transformation 
matrix T G ^ denominator d to describe the order with an Z ba- 
sis (wo) • ■ • ,w„_i) = (l,x, ■ ^T, where tUi G Z[x]/{f). Arithmetic could 

then be done by using the matrices T and T~^ and doing polynomial arithmetic. 
However, we do this only if T = otherwise we use an additional multiplica- 
tion table which describes how two elements of the basis are multiplied, i.e. we 
store Wij^k,0 < i,j, k < n, with oji ■ coj = Such a multiplication 

table is also sufficient to describe the order or number field, thus we can even 
omit the polynomial in this case. 

Representing Algebraic Numbers. We store algebraic numbers as a coef- 
ficient vector with respect to a given basis and a denominator, where all 
coefficients and the denominator are numbers in i.e. a = ^ o,iUJi is 

represented by the tuple (d, (oq, . . . ,a„_i)). Then addition and subtraction can 
be done componentwise (once we found the common denominator of the two 
numbers involved) and multiplication and division can be done using either 
polynomial arithmetic or the multiplication table mentioned above. 

Representing Ideals. (Fractional) ideals of the maximal order O can be repre- 
sented by an Z basis that contains n algebraic integers. Choosing the coefficient 
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vector in Q” to represent an algebraic integer and extracting the common de- 
nominator, one can represent an ideal a by a n x n matrix A with integers 
entries whose absolute value is bounded by |Z\| and a denominator in This is 
the commonly used ^ basis representation of ideals m)- We now explain our 
more efficient method: We can determine the exponent of such an ideal, i.e. the 
smallest positive number e ^ 2Z with eO C o. Then the ideal can be represented 
by e and A, where A is a matrix with entries in TZjeTZ obtained from A by 
reducing each entry mod e. We store A as a reduced matrix - preferably with 
as few columns as possible as described in m- There is a way to represent a by 
a uniquely determined A first described by Howell m, but this method maxi- 
mizes the number of columns of A. Instead we use heuristics to try to have an A 
with fewer columns. This leads to a representation that is not unique. Moreover, 
computing e consumes some time and is not always needed, as any multiple of e 
will do as well in this representation, possibly at the cost of having more columns 
in A than necessary. In the following we shall call this representation the LiDIA 
representation of ideals m)- 

Equality of two ideals is then decided by first determining the true exponent 
of both ideals and then computing the unique representation of the module 
generated by the columns of A as described by Howell. 



Representing Prime Ideals. For efficiency reasons, prime ideals are repre- 
sented in a different way, as we know that in our applications prime ideals are 
typically used to compute power products of prime ideals. Furthermore, when 
dealing with class groups, we typically have to handle many prime ideals. Thus 
we optimize for space efficiency and for an optimized computation of power prod- 
ucts: We represent a prime ideal p by a prime p G Z and an algebraic integer 
7T, such that p = pO -I- nO. Thus, an ideal a can be multiplied by p by adding 
pa and 7ra, and powers of p can also easily be computed (p^ = 
where z denotes the ramification index of p at p). 



Representing Ideal Classes. Ideal classes are represented by any of the LLL- 
reduced ideals (see below), that are members of the class. Therefore, an ideal 
class is represented by (e, A) where the positive integer e is the exponent of an 
TLL-reduced ideal in the given ideal class (1 < e < |Z\|) and A is a n x r matrix 
(1 < r < n) with entries in TZjeTZ. (The LLL-reduced ideals can roughly be 
seen as the equivalent of “small” remainders in computations modulo an integer.) 
Note that this representation is not unique. 



2.2 Basic Algorithms in Number Fields 

Let /C be an number field, O an order of /C and a, 6 two ideals of O. 



The Group Operation. As explained in the previous subsection, we represent 
group elements (ideal classes) by one of its reduced representatives. Thus, we 
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realize the group operation [a] • [6] by multiplying the representing ideals and 
LLL-reducing the resulting ideal ab. 

Reducing an Ideal. Ideal reduction is done as follows: Determine Minkowski’s 
embedding which leads to a lattice. Using the LLL algorithm calculate a short 
vector of this lattice. This is the representation of an LLL-reduced ideal in the 
ideal class [a]. 

Ideal Multiplication. For ideal multiplication we use different algorithms depend- 
ing on the type of ideal. If we multiply by an prime ideal we can use the method 
mentioned above; in general we need to determine a matrix whose columns gen- 
erate the product. That matrix will have columns in the worst case and then 
needs to be reduced to a matrix with at most n columns as described in 
In the following section we will introduce a new faster multiplication for ideals 
which we will use in our signature scheme for signing a message. 

Note that using the algorithm for group multiplication we can realize efficient 
exponentiation in the group m- 



Determining the Maximal Order. For computing the maximal order, even 
the simple Round 2 algorithm, as described e.g. in HD! is sufficient. 



Choosing a Group Element at Random. 

Theorem 1 (O). Let JC be an number field with discriminant A. Under the 
generalized Riemann hypothesis ( GRH), the set of all prime ideals ( more exactly, 
of their classes) with norm < 12{ln |Z\|)^ form a generating system of the class 
group of 1C. Depending on the signature of the field there are better bounds for 
the norm known, e.g. the set of all prime ideals with norm < 6{ln\A\)'^ in the 
case of imaginary quadratic number fields. 

Thus in this situation, we can choose an ideal class at random as follows: 

1. Precomputation: Compute a generating system consisting of prime ideals 
due to Bach’s theorem: {pi, . . . ,pfe} 

2. Choose an exponent vector at random: (ei, . . . , Ck) where 1 < < |Z\|. 

3. Compute fl = OiLi return [a]. 

In practice we can use much smaller bounds than that given in Bach’s theo- 
rem for determining a generating system. For example, Neis PDj succeeds in his 
experiments using norm bounds of size 0{{ln\A\)^'^) for class groups of number 
fields of degree 3,4,6. Further experiments are needed: The larger the set the 
larger is the probability of getting a generating system. The smaller the set the 
more efficient the determination of a power product, but the less random the 
result. 
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Probability Distribution of the Pseudo-Random Element Choice Algorithm. We 
show that the described algorithm for pseudorandomly choosing an element of 
the class group of an number field leads to a distribution that is “almost” uni- 
form. 

Proposition 1. (Theorem 5.2 of Consider the imaginary quadratic num- 
ber field K. with discriminant A C ^<o, its class group Cl, and its class number 
h = |C1|. Let Q be a generating system of Cl, [a] G Cl. Then the number of 
vectors r = (r([p]))[p]gg G {1,2, ... , |Z\|}I^I solving = H equals 

■ exp{e) , 

where e G M, |e| < < 1- For sufficiently large |Z\| we have |e| < ln2. 

We would have a uniform distribution, if the number of such exponent vectors 
r did not depend on the special choice of an ideal class [a] G Cl. The difference 
between our distribution and the uniform distribution is characterized by the 
constant exp{e) which depends on [a]. The closer exp{e) is to 1, the more uniform 
the resulting distribution is. For sufficiently large |Z\| we have |e| < ln2, i.e. 
0.5 < exp{e) < 2. 

By analogy with the proof of the proposition above one can prove: 
Theorem 2. Proposition^ holds for all number fields K,. 

Thus as we have shown, the described algorithm for pseudorandomly choosing 
an element of the class group of an number field leads to a distribution that is 
“almost” uniform. 

2.3 Advanced Algorithms in Number Fields 
More Efficient Ideal Multiplication. 

The Two-Element Representation of Ideals. Each fractional ideal a of the max- 
imal order O oiK. has a two-element representation 

0 = aO -{- aO 

where a G n o, a G a (PH). Note that this representation of an ideal only 
needs n -|- 1 integers instead of integers regarding the Z basis representation 
and n ■ r integers (1 < r < n) regarding the LiDIA representation from the 
previous subsection. 

Determining Two-Element Representations. Given an ideal a in LiDIA rep- 
resentation we want to determine one of its two-element representations. We 
proceed as follows: We determine a Zi basis representation of a. After, we 
choose as first generator the integer a = N{a). Then we test for all a G 

|Sr=o^ feiOi : bi G (—1,0, 1}| whether aO -\- aO = o. Since aO -\- aO C a it 
is sufficient to check whether N{aO-\-aO) = N{a). In this case we actually have 
aO -\- aO = a. Note that although this algorithm is probabilistic it works fine in 
practice. 
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Efficient Ideal Multiplication. Given an ideal a in LiDIA representation (e, A) 
and an ideal 6 = bO + (50 in two-element representation we can determine their 
product in LiDIA representation very efficiently using the equation 



ab = a-b+ a - (5 . 



For determining a • 6 we multiply all entries of A and the module e with the 
integer b. For determining a ■ (5 we firstly multiply the algebraic integer (5 with 
all columns of the Z generating system {A | e • /„) of a. Secondly, we reduce 



r n 

the resulting matrix of n -|- r columns to a matrix with at most n columns using 
the Hermite normalform (HNF) computation (see fniEDI)- For adding o- b and 
a • /3 we substantially concatenate the columns of the representations of a • & and 
a • (5 and reduce the resulting matrix of at most n + r columns to at most n 
columns using the HNF computation. For the details we refer to IZHj. 

The Tables 1,2,3 compare the run times for the multiplication of two ideals in 
LiDIA representation with the run times for the multiplication of the same ideals 
where one is given in LiDIA representation, the other is given in two-element 
representation. We calculated in these experiments in Stender fields of degrees 
n = 3, 4, and 6: 



/C — Q( ■\/iT^~'-t-~r) D G ^^>1010 



Stender fields shall prove to be suitable for cryptographic purposes, see section 
We multiplied pseudo-random LLL-reduced ideals. The last column shows 
the speed-up factor of the new method for ideal multiplication (’’LiDIA repres. 
* Two-Elt repres.”) compared with our usual method (’’LiDIA repres. * LiDIA 
repres.”). All run times are given in milliseconds on an average (100 iterations). 
The run times were made on a Celeron 433 MHz processor. The run times 
show that our new method for the multiplication of ideals leads to a speed- 
up of factor 4.5,8, 14 for degrees of number fields 3,4,6, resp., compared with 
the usual method. Note that the classical ideal multiplication using Z basis 
representations of ideals are even slower why we had used originally the LiDIA 
representation of ideals (see [30j for comparing run times) . 



Table 1. Run times for ideal multiplication, degree n = 3 



D 


LiDIA * LiDIA 


LiDIA * Two-Elt 


factor 




6.205 


1.54 


4.02922 




6.575 


1.547 


4.25016 


TTup 


6.630 


1.364 


4.8607 




6.746 


1.434 


4.70432 



We shall explain in section^how we can use this faster multiplication method 
for our cryptosystem. 
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Table 2. Run times for ideal multiplication, degree n = 4 



D 


LIDIA * LiDIA 


LiDIA * Two-Elt 


factor 




18.387 


2.911 


6.31639 


77T(p 


18.765 


3.109 


6.0357 


77T(p 


20.188 


2.264 


8.91696 


TTTo^ 


20.601 


2.423 


8.50227 



Table 3. Run times for ideal multiplication, degree n = 6 



D 


LiDIA * LiDIA 


LiDIA * Two-Elt 


factor 


~10^^ 


104.850 


7.797 


13.4475 




111.676 


8.037 


13.8952 


77T(p 


116.265 


9.427 


12.3332 


77T(p 


126.866 


8.285 


15.3127 



Deciding Equality of Ideal Classes. 

Let a and b be two ideals in the maximal order of a fixed number field K, of 
degree n. We explain now how to decide whether or not [a] = [6]. 

First, let n = 2. If /C is an imaginary quadratic field, there exists exactly 
one reduced ideal in each ideal class, and there is a polynomial time reduction 
algorithm. Reduce the given ideals a and b. We have [o] = [6] if and only if the 
reduced ideals are equal. Alternatively, we can take the following approach and 
decide the equivalence of two ideals with a test for a principal ideal: [o] = [6] if 
and only if [a6~^] = [O], i.e. if is a principal ideal aO with a G JC. 

If /C is a real quadratic field, the number of reduced ideals equivalent to O 
can in practice efficiently be computed, provided the regulator of K, is small (see 
for instance P3)- In this case the principal ideal test consists of the reduction 
of ab~^ followed by a table lookup. 

A similar method is applied for number fields of degree larger than 2; however, 
determining all reduced principal ideals is much more complicated and is the 
most difficult problem when implementing cryptographic schemes in class groups 
of number fields of degree > 2. 

We will explain the terms introduced above more precisely: If a is a (frac- 
tional) ideal in O, then we call a number /i G a a minimum of a if there is no 
element a 0 in o such that |cri(o!)| < \cri{fJ,) \ for 1 < i < m. The ideal a is called 
reduced if the smallest positive rational integer in o is a minimum of a. The set of 
all reduced ideals in [a] is called cycle of reduced ideals in the class of a (despite 
the fact that its structure is in general much more complicated than in the case 
of real quadratic fields where one really has a “cycle”). Its cardinality is finite 
and called period length of a. It was proven in that the period length is 0(TZ), 
where TZ denotes the regulator of K.. Indeed, the cycle of reduced ideals is only 
effectively computable if TZ is small. It is easy to see that those number fields 
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whose maximal order has period length 1 are especially suited for our purposes. 
In the next chapter, we will give instances of such fields. 

We have implemented an efficient version of an algorithm for computing all 
reduced principal ideals. The algorithm is a number geometric generalization of 
Lagrange’s continued fraction algorithm and was presented by Buchmann 0. It 
was primarily designed for computing fundamental units, but it also allows to 
compute the set of all reduced ideals in any given ideal class. Among the major 
difficulties when implementing the algorithm was the correct handling of the pre- 
cision for approximations of real numbers, and the efficient calculation of short 
vectors in integer lattices. With the information computed by this algorithm, we 
are able to decide the equality of ideal classes in arbitrary number fields. 

3 Cryptographically Good Orders of Number Fields 

In this section we discuss in a first part conditions for orders whose class groups 
are to be used to implement the RDSA signature scheme from 0. The statements 
hold for the cryptographic schemes presented in jOj, too. Therefore, a lot of 
signature schemes could be implemented over algebraic number fields in the same 
way. In a second part of this section we present families of orders of number fields 
which fulfill the requirements listed before. 

3.1 Requirements for Good Orders 

The security of RDSA is based on the root problem. There are polynomial time 
reductions from the root problem to the order problem (find a non zero multiple 
of the order of a given group element) and from the order problem to the discrete 
logarithm problem |7j. Therefore, as necessary conditions for the security of 
RDSA those problems must remain intractable in our (class) group, particularly 
under the usage of the known algorithms solving those problems. Given a prime p 
and a finite abelian group extracting the p-th root of a group element a is to our 
knowledge only possible if a multiple of or da is known, for example the group 
order. Therefore we must ensure that the known algorithms for determining the 
group order (class number) and discrete logarithms in class groups of orders 
of number fields will fail. Note that the calculation of the class number /i is a 
very hard computational problem. Its complexity is subexponential in the binary 
length of the discriminant and exponential in the degree of the number field |0| . 
In the special case of imaginary quadratic number fields, computing the class 
number or computing discrete logarithms is at least as difficult as factoring 
integers 

Our analysis leads to the following necessary conditions for the class number 
h of such orders: 

— h must be large, i.e. the regulator R should be small. 

This condition prevents the success of the following algorithms for determin- 
ing the class number or discrete logarithms: The exhaustive search method, 
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Pollard’s Rho method Shanks’ Baby-Step-Giant-Step-algorithm m in- 
eluding all variants (e.g. 0), the Hafner-McCurley algorithm Enmsi, and 
the index-calculus-algorithms (e.g. COS 0 or NFS @3)- 
From the Brauer-Siegel-Theorem (see for instance f2|) we know that for 
sufficiently large absolute values |^| of the discriminant the product of regu- 
lator and class number is of the order of magnitude of y^|Z\|. As our experi- 
ments show, we already have hR ~ y^|Z\| for discriminants of a few hundred 
bits, which is the order of magnitude we are interested in. Unfortunately, the 
regulator is typically large and the class number is small (see [TTl El ) . 
There are, however, infinite families of number fields with small regulators, 
thus with large class numbers, as we will see in the next subsection. 

— h must have sujjiciently large prime divisors. 

We have to prevent a Pohlig-Hellman attack for the following DL-problem: 
Given elements a, (3 G Cl chosen at random such that [3 is in the subgroup 
generated by a, determine an integer x such that = (3. 

If the class number can be determined, it is therefore necessary that the 
order of a has a sufficiently large prime divisor such that the discrete log 
algorithms mentioned above do not succeed in the cyclic subgroups of the 
group generated by a. This happens with very high probability as long as 
the class number has a sufficiently large prime divisor ([3 Th. 4]). 

If the class number cannot be determined in practice (which is the typical 
case), it seems to be a (weaker) sufficient condition that the class num- 
ber (thus with high probability the element order as well) contains several 
primes of medium size whose product is greater than some large bound (see 
the appendix for details) . This prevents the success of the following discrete 
log algorithm: First determine a multiple of orda using a method similar 
to Pollard’s p — 1 factorization method (E|i see also El)- Then apply 
the Pohlig-Hellman algorithm. The first step does not succeed in our situ- 
ation because of a combinatorical explosion since orda has several primes 
of medium size. Namely, given a group element a, for finding a multiple of 
the i?-smooth integer ord a one needs 0{B ■ Inm/ In B) group operations, 
provided that an upper bound m for the element order ord a is known (see 

Pf|). 



3.2 Constructing Good Orders 

We consider briefly the special case n = 2. Imaginary quadratic number fields 
always have regulator i? = 1, thus large class numbers h (if the discriminant 
is large in absolute terms). In 0, it was shown why their maximal orders are 
suitable for cryptographic applications. Examples for suitable maximal orders of 
real quadratic number fields are given in 0, too. 

In this paper we are interested in number fields of degree > 2 because we 
want to take advantage of the complexity of the NFDL and the root problem 
which is exponential in the degree n of the number field. In the following we 
present several examples for suitable families of orders of number fields. 
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Stender Fields. Stender m considers number fields 

IC = <^iVD^±d), ( 1 ) 

with defining polynomial f{x) = x" — (_D" ± d) where n G {3, 4, 6}, D,d £ ^>o, 
and d satisfies some further condition. We call them Stender fields. Stender 
explicitly determines a system of fundamental units of K, which leads to the 
exact value for the regulator. The bounds of Table 4 (see JHE]) and the explicit 
examples from 0 show that the class numbers of Stender fields (at least in the 
special case d = 1) are large while their regulators are small. (Note that for n = 3 
we assume in the table that ± 1 > 3 • 10^ is cube-free) . Furthermore, it can be 
deduced from the heuristics of Cohen and Martinet din] the class numbers 
seem to contain a large prime divisor, that the class numbers of number fields 
with small regulator have at least one large prime divisor. The experiments of 
Neis confirm this. 



Table 4. Bounds for regulator and class number of Stender fields, d = 1, D > 16, 
(for details about the constant c, see ESl l 



Degree 


Upper bound for the regulator 


Lower bound for the class number 


n = 3 
n = 4 
n = 6 


R< |/n(3 • (L>3 ± 1)) 
R < A ■ {ln{VS ■ D)f 
R < 9324 • ln(2D) 


h- 1 


- 6 V ln^3- 

^ 1367T (ln(x/3- L>))2 

. . c 

^ 35812448 • 7t 2 ln(2D) 



Stender fields appear to have another advantage in the context of effective 
computations in class groups: For n = 3 and d = 1, with the exception of 
very few, but easily checkable cases, the period length of the maximal order 
is exactly 1 (i.e. O is the only reduced principal ideal, see section I7~3ll if D ^ 
0 mod 3 d- For n £ {4, 6} we conjecture that there are infinite classes of 
Stender fields with period length 1, too; our experiments seem to confirm this 
conjecture (more detailed results will be published in a subsequent paper). As 
this property greatly simplifies the equivalence test for ideals, such number fields 
might prove especially useful for cryptographic applications. 



Buchmann’s Number Fields of Degree 4. Let /C = Q(y^), D = 4fc4-Hd, 
k £ ^> 0 , d £ where 0 < |d| < 4fc. We consider the order O = Z{^—D) of 
K. 

Depending on the values of d and k Buchmann ^ has determined the funda- 
mental unit of O and the set of all minimas of O. Buchmann’s result is valuable 
for us for two reasons: Firstly, with the knowledge of the fundamental unit of O 
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we can see that the regulator of O is very small, thus the class number is large. 
Secondly, the inverses of the minimas are the generators of the reduced principal 
ideals. According to 0 the number of reduced principal ideals is very small in 
all cases: 



Case 


^ reduced principal ideals in O 


d=l 


1 


d> 1 


2 


k> 2 and d = —1 


2 


k> 2 and d < — 1 and d \ 4fc 


4 



Therefore, using the order O of the number field mentioned above we can 
easily compute the cycle of reduced ideals in O and, thus, decide equality of 
ideal classes. Obviously, the most efficient choice is d = 1. 



Real Cubic Number Fields. Let pi be the uniquely determined real root of 
the irreducible polynomial /(A) = + IX — 1 (I G Z>i) and let /C = Q(p;)- 

Then ei is a, fundamental unit |2S| and we have I < ei < I + 1- 

Choose I such that and p^\Ai = 4P + 27 for all primes p> 5. (E.g. choose 
I such that the absolute value Z\; of the discriminant of JC is prime.) According 
to ^Sl, the maximal order oi JCis O — ^[ez] and for Z\; > 2 • 10® we have 

h > 

- 20ln‘^Ai ■ 



Totally Imaginary Number Fields of Degree 4. Let K. = Q(i, VS) where 
5 = m^+4i is square-free in ZZ[i], m = a+ib G ^[i] with a>b>0, a^b mod 2. 
Let D := |(5p. Then we obtain from |23|: 

R < Ini'/D) and h > for D >2 ■ 10® . 

17 ln-‘D 

Note that |Z\| = 16D. Therefore the class number grows sufficiently quickly. 

Instances for such fields can be found for example by choosing p > 2 prime 
where -I- 1, a = 2p, b = p, m = a + bi, S = m? + 4L 

4 Computational Results 

4.1 The Signature Scheme RDSA 

Using the representations and algorithms of section 2 we implemented RDSA, a 
variant of the ElGamal signature scheme which does not require the knowledge 
of the group order. During the signature and verification process the exponents 
here are reduced modulo a large prime instead of the group order. This variant 
was described in [71 • Many well known signature schemes can be modified such 
that they can be implemented without knowledge of the group order, e.g. in class 
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groups of number fields (see 0). Here, we describe the RDSA signature scheme 
in terms of a multiplicatively written finite abelian group G. In the description 
A is the signer, B is the verifier, and M G {0, 1}* is the message to be signed. 
Moreover, for x,y G {0,1}* we denote by x\\y the concatenation of x and y. 
We also use a cryptographic hash function h which map strings in {0, 1}* to 
{0,1,... — 1} for some positive integer p. In our situation, G is the class 

group of one of the orders of number fields presented in section EH 

1. Key generation 

A randomly selects an element G G and a prime p; 

A randomly selects an integer a where 1 < a < p and computes 0 = 7“; 

A’s public key is (G,7, a,p), the private key is a. 

2. Signature 

A randomly selects an integer k such that 0 < fc < p; 

A computes p = 7*; 

A computes x = a + kh{M\\g)-, 

A computes nonnegative integers s and £ such that x = £p+ s with 0 < s < p; 
A computes A = 7^; 

the signature of the message M is S = (s, g, A). 

3. Verification 

B accepts if and only if 1 < s < p and 7® = A”^’. 

4.2 Example 

To illustrate the algorithm, we give a small example: 

Key generation. We use the number field 1C = Q(-^123^ + 1). Its maximal 
order has period length 1, i.e. there is exactly one reduced principal ideal. 
We set p = 731921033138277435612152393899, and choose the ideal 7 with 
Z basis 

/ 115956 77304 110668 \ 

0 38652 20224 

V 0 0 1 / 

and a = 458967366586392074529404946651. Then we compute a = 7“, the 
public key, which is in the ideal class of the ideal with Z basis 

/ 65564 0 9000 \ 

0 65564 63680 . 

V 0 0 1 / 

Signature. We generate the signature for the message “Hello World!” by 
choosing k = 485477408517287794924521196370 and computing the ideal 
p as described above. In our implementation, we use the SHA-1 algorithm 
for hashing; thus we yield s = 267317238294110283157650658417 and the 
ideal A with an Z basis 

/ 360587 0 323678 \ 

0 360587 328756 . 

V 0 0 1 / 
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Verification. Finally, in the verification step, both sides of the equation evalu- 
ate to 

/ 302076 0 193186 \ 

0 151038 85726 . 

V 0 0 1 / 

4.3 Implementation and Run Times 

The Implementation. We implemented the RDSA signature scheme over class 
groups of orders of algebraic number fields using C-I--I- and LiDIA [231 • Thereby, 
we used the SHA-1 algorithm for hashing. We precomputed all required 16-powers 
of the base element (ideal class) 7 and stored them in the two-element represen- 
tation of LLL-reduced ideals. So, we could use our new fast method for multi- 
plication of ideals (see section 0) . We combined our new multiplication method 
with the fixed base windowing exponentiation method where we used the base 16 
(see As LLL-reduction for ideals we used the variant of Schnorr-Euchner 

ED’ 

In practice, the users of the RDSA signature scheme would obtain the public 
key of the sender of a signed message as well as these precomputed 16-powers of 
7 . Note that each user would use the same class group G, base element 7 , thus 
the same 16-powers for its own signatures. 

Run Times. The run times of our implementation (see Table 5) were measured 
on a Celeron processor at 433MHz. 

We remark that our implementations were completely general in the sense 
that it did not include any optimization for number fields of degree 3. 



Table 5. Run times for signature generation 



number field (defining polynomial) 


log2(-^) 


period length 


signature 


ideal mult. 


2,3 _ (1Q25 + 1)3 _ 1 


500 


1 


2.5 s 


10.5% 


2,3 _ (1q27 + 1)3 _ 1 


540 


1 


2.6 s 


10.4% 


2;3 _ (1Q30 + 1)3 _ 1 


600 


1 


3.0 s 


10.3% 


2;3 _ (1Q35 + 1)3-1 


699 


1 


3.9 s 


8.8% 


2;3 _ (1Q40 + 1)3 _ 1 


799 


1 


4.6 s 


9.2% 



Complexity. Computing a RDSA signature requires two exponentiations in the 
class group. The verification takes three exponentiations, two multiplications and 
a table look-up for an equality check. For all exponentiations 160 bit exponents 
are used. 
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We now focus on the signature step. The two exponentiations using the base 
ideal class 7 take almost 100% of the time we have to spend to generate a 
signature. We just had precomputed all required 16-powers of 7: 7, 7^® , 7^® , . . . . 
Using the fixed base windowing exponentiation method with the base 16 we have 
to perform on average 50.5 group operations for a 160 bit exponentiation, in the 
worst case 53 group operations 1 1281 1. For the precomputation we require memory 
for 40 group elements. 

Remember that one group operation consists in our context of 

1. the multiplication of two ideals (one of them given in two-element represen- 
tation, the other one given in LiDIA representation). 

2. LLL-reducing the resulting ideal. 

Note that we optimized the multiplication step (see section O. whereas no 
optimization was done concerning the reduction step. In the example of the 
Stender field of degree 3 with the defining polynomial f{x) = x® — (10^® -I- 1)® — 1 
and 500 bit discriminant (see above) we need 1900 milliseconds (msec) for one 160 
bit exponentiation. Thereby the ideal multiplication steps take 10.5% (199 msec), 
whereas the ideal reduction steps take 89.5% (1701 msec). Detailed timings for 
other Stender fields confirm these time percentages (see Table 5). 

Conclusion: From now on any speed-up of more than 10.5 % for the RDSA 
signature scheme must be done by optimizing the reduction step or by reducing 
the number of group operations to be performed. 



Security Level. The size of the mathematical objects (ideal classes) is deter- 
mined by the degree n of the number field and the discriminant A. Therefore, 
we can compare the role of n, A with the modulus in the RSA scheme. Table 6 
shows a very pessimistic comparing of a RSA modulus and a RDSA discriminant 
A for a degree of number field n > 2 in order to get the same security levels for 
the RSA and RDSA signature schemes. We followed the argumentation of cn 
where this table was determined for imaginary quadratic number fields (n = 2). 
If one takes into account that the complexity of the root problem (the problem to 
break RDSA) grows with the degree of the number field one will get even shorter 
binary lengths for the discriminant. We shall work out a corresponding more re- 
alistic comparing of the sizes of a RSA modulus with a RDSA discriminant in a 
subsequent paper. 

5 Conclusions and Open Questions 

From the theoretical point of view, cryptosystems based on the discrete log 
(NFDL) or on the root problem in number fields are alternatives for the cryp- 
tosystems used today. As the complexity of NFDL and the root problem seem 
to be exponential in the degree of the number field, it is interesting to use num- 
ber fields of degree > 2. In this paper we have shown for the first time how 
to implement a cryptographic protocol over such fields. The run times of our 
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Table 6. Corresponding key lengths (bits) for the same security levels 



RSA modulus 


RDSA discriminant 


675 


500 


768 


540 


850 


600 


1024 


687 


1044 


699 


1230 


799 


1536 


958 


2048 


1208 


3072 


1665 


4096 


2084 



first implementations show that the new signature scheme RDSA is much less 
efficient than the popular cryptosystems of today. Note that the cryptosystems 
used today in practice (e.g. RSA and elliptic curve cryptosystems) originally 
were also inefficient. The common research of a lot of people made these systems 
step by step efficient. 

The improvement of the arithmetic in number fields of degree > 2 towards 
a very efficient implementation of cryptosystems like RDSA is now subject of 
further research. We have shown in this article in which area any optimization 
must be done for a significant speed-up of the RDSA scheme. In the case of 
imaginary quadratic fields (n=2) recent speed-ups have led to a RDSA imple- 
mentation of the same efficiency as the RSA signature scheme ( 0 ). There are a 
lot of possibilities for a speed-up of number field based cryptosystems. Therefore, 
we believe cryptography based on algebraic number fields shall be one day also 
in practice an alternative for the cryptosystems used today. Currently, we are 
working on the following strategies: 

— Better cryptosystems. We try to design cryptosystems that involve less group 
operations. 

— More efficient ideal reduction. The bottle-neck regarding one group operation 
in class groups now is the reduction of ideals. We search for a speed-up. 

Besides, this paper raises the following interesting research problems: 

— Are there more infinite families of orders of number fields of degree > 2 with 
short period length, i.e. with small number (ideally: 1) of reduced principal 
ideals? 

— How can we implement the RDSA scheme in non-maximal orders of number 
fields of degree > 2? 



100 Andreas Meyer, Stefan Neis, and Thomas Pfahler 



— How large must the discriminant A (depending on the degree n of the number 
field) be in order to get to the knowledge of today the same security as RSA 
512 bit, 768 bit, 1024 bit, . . . ? 
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A Requirements for Good Orders (Appendix) 

Let (G, •) be a finite abelian group with group order |G| = Hp Let S' be a 
set of prime numbers which divide |G|. 

Conjecture. Let 7 G G be chosen at random with equidistribution. If |G| 
is unknown and can not be determined in practice and 

Sp6S then the discrete log problem 7“ = 5 (where 7,5 are given 

and the integer x was chosed at random) can not be solved in practice using 
a generic algorithm, i.e. an algorithm that works in an arbitrary finite abelian 
group. 

Our conjecture is based on 

Theorem 3. Let j € G be chosen at random with equidistribution. Then 



Pr 



p I ordc 7 

pes 



pes 



1 

pe{p) 



Proof. Let F be the set of prime divisors of |G|. As finite abelian group G is the 
inner direct product of his p-Sylow groups Sp: 

G=l[Sp 

p&F 



where for each p G F the set Sp consists of all group elements with prime power 
p* as element order for some i G {0 , . . . , e(p)} and each 7 G G has a unique 
representation 7 = Ope;’ 7p where 7p G Sp. Note that ordj = lcm{ordjp : p G 
F}. We can choose a group element 7 G G at random with equidistribution by 
choosing elements 7p G Sp at random with equidistribution for all p G P' and by 
building the product 7 = OpeFTp- Therefore we have 



Pr 



p I ord 7 

.pes 



Pr[p I ord 7 for all p G 5] 



= 1 — 'Px[p\ord'y for at least one p G S'] 

_ f 1 - Epes PrWordy] if l*S'| = 1 

( 1 — Pr[p\ord^] — ¥x[p\ord^ for all p G S]^ if jSj > 1 

For each p G S there exists exactly one element in Sp whose order is not divisible 
by p (the neutral element of the group) . Thus we have 



Pr 



p I ord 7 

peS 



l-Epes;bFT = l 

1 “ Epes + ripes fikp) if > f 



which shows the claim. 
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Example. 

1. Suppose that |G| has a prime divisor p with p > Then the probability 
for the order of a randomly chosen group element to be divisible by that 
prime is at least 1 — 2“^®° which is almost 1. 

2. Suppose that |G| has prime divisors pi,P 2 > 10® where pi- P 2 > 10^®. Then 

the probability for the order of a randomly chosen group element to be 
divisible by p\ ■ p 2 is at least 1 — (^ + > 1 — 2 • 10“® which is almost 1. 
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Abstract. In this paper, the Bell Labs key recovery scheme is exten- 
sively modified to enable a user to request on-line key recovery service 
when the file decryption key is forgotten or lost. New practical and im- 
portant requirements of key recovery are also considered in the proposed 
schemes, for example, the key recovery server and any intruder over the 
communication channel should not learn the key to be reconstructed. 
Furthermore, the necessary authenticity and secrecy between a user and 
the key recovery server should be provided. 



Keywords: Active attack detectability. Cryptography, Dictionary attack. Key 
escrow, Key recovery. Off-line attack. On-line attack. 



1 Introduction 



Since 1994, the topic of key escrowed encryption and communication has been 
widely noticed and studied 1 1 I2I3I4Ht| | . However, this technique has never been 
widely employed because of the privacy issue. Until 1996, some researchers 
changed their attention on escrowed encryption into the commercial applications 
in an alternative scenario, say the commercial key recovery [Itil/IMj . The topic of 
commercial key recovery is not only nonconfficting but also can be identified as 
a necessary component for the applications of data security service. Evidently, it 
is a very important and practical issue of how to get survive when using a hard 
to remember (and to guess) password in a real security system. 



1.1 The Classification of Keys 

Here we classify passwords (or keys) to be remembered by a person into three 
different types depending on the complexity required to recover them by the 
attacker and the difficulty required to remember them by the owner. 

simple password : This category of passwords are more easy to remember by 
the owner, but they are still difficult to be guessed by nonprofessional at- 
tacker. However, a professional hacker may sometimes figure out the weak 
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password Pa (if it is poorly chosen) with some probability via the off-line 
dictionary attack if a copy of f{Pa) is accessible where /() is any one-way 
function. In this paper, a simple password means a password that should at 
least be resistant with large probability against the guessing and matching 
attack from some collected dictionaries. Tools for preventing poorly chosen 
weak password from guessing attacks, i.e., to filter out fatal or inappropriate 
weak passwords, are available in IHIlOllll . In 0, it was reported that prior 
to the experiment, it is believed to find a large percentage of the collected 
passwords (selected by a novice) in the dictionaries and common word lists. 
However, surprisingly, only 1 out of 5 passwords were found in the dictionar- 
ies. The standard dictionary used in has about or more than 25000 words. 
So, it is expected that each of the matched passwords needs compar- 
isons with words in the dictionary before been identified. Notice that while 
an off-line guessing approach may be feasible, an on-line approach however 
will cause an unreasonable delay and most of the time this attack will be 
easily detected. Evidently, the cost of on-line (and off-line) guessing attack 
on an already sieved (using the above mentioned tools) simple password will 
be extremely high since a much larger dictionary and more sophisticated 
manipulation will be necessary. 

strong password : Theoretically, passwords of this category are selected to be 
random numbers. So, they are basically be quite difficult to be figure out by 
the attacker but they are also quite hard to remember by the owner. 

pseudo strong password : A password “pass” for practical and high security 
requirement usage often falls into this category which can be considered as 
a mixture of the above two categories of passwords. It avoids or at least 
complexes greatly the off-line dictionary attack against professional hackers 
but it also brings the risk of forgetting the passwords to the owner. Another 
typical approach of selecting a pseudo strong password is by concatenating 
two or more simple passwords and it is sometimes called a passphrase. 



1.2 Review of the Bell Labs Key Recovery Scheme 

To compromise with the requirement of using more secure pseudo strong pass- 
words or keys and the requirement of recovering any forgotten passwords or keys, 
Maher at Bell Labs developed a crypto key recovery scheme 0. 

• The protocol 

In the Bell Labs key recovery scheme j^, the key recovery server has its secret 
key Xs and the related public key j/s = a^‘ mod P, where P is a large prime. 
Each user, say A, registers to this server through a physical manner and will be 
given the server’s public key. 

The working key generation and working key recovery protocol can be briefly 
reviewed as follows. Here the working key refers to the file encryption key or any 
login password used in a remote login procedure. 
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(1) A: Each time user A wishes to encrypt his important file, he computes the 
file encryption key K (it is assumed to be a strong password) as 

K = mod P\\yr"" mod P) 

where h{) is any secure one-way hash function, e.g., jl2li;ill4j . and “pass” 
is the password (it is assumed to be a pseudo strong password) selected 
by the user. Besides the ciphertext Ek{M), mod P is also stored. The 
encryption function E() is assumed to be performed by using any symmetric- 
key cipher. 

(2) A ^ S: When the user A forgets his password, he tries to recover the file 

encryption key K by delivering mod P to the key recovery server. 

(3) A ^ S: The recovery server computes T = mod P and sends the 

result T to the user. 

(4) A-. The file encryption key K can be recovered by the user as mod 

P\\T). 

• Some remarks on the Bell Labs protocol 

Two important but overlooked issues of the above Bell Labs protocol are given 
below. 

(a) In the step (2), the value mod P should be delivered to the recovery 
server by A through an authenticated channel. 

(b) In the step (3), the value T should be sent back to user A via a secure 
channel. 

However, no solution has been provided in the original protocol to meet the 
above two important and necessary requirements. Otherwise, a physical face-to- 
face approach will be necessary for each query and this reduces the practicality 
of commercial key recovery. 

In the Bell Labs protocol, the recovery server will learn the password or key 
K to be reconstructed. Therefore, multiple recovery servers will be necessary and 
the file encryption key K can be computed as a combination of many subkeys Ki 
(e.g., K = Ki (B K 2 (B Ks for i = 1, 2, 3) and each of which should be recovered 
when the user forgets his password. The above development aims to prevent 
any single server or a subset of servers in collusion to obtain the key K. To 
have a satisfying security level, the number of servers should at least be three. 
There are two drawbacks for this arrangement. First, system performance may 
be worse than its original scheme. The second drawback, the more critical issue 
for the case of using multiple key recovery servers, is that the applicability of 
the key recovery will be reduced. Based on the above construction, when one 
of the servers is not accessible or becomes faulty, then the forgotten key K can 
theoretically never be reconstructed. 

Another issue to be pointed out is that in the step (1) of file encryption 
key generation procedure, K can be generated as either mod P) or 

mod P) when mod P or mod P, respectively will be stored 

with the ciphertext Ek{M). 
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2 The Model of a Practical Key Recovery 

Since the problem of how to recover a forgotten password or key is basically 
a practical issue. Therefore, a practical consideration of what a key recovery 
scheme should provide is necessary. From the view point of practicality, the 
requirements of a good key recovery scheme are identified and listed in the 
following. 

(1) The key recovery protocol should be performed at the user’s location through 
an on-line process interacted with the recovery server. For this purpose, the 
on-line process must also provide both secrecy and authenticity. 

(2) The key recovery server should not know the exact passwords or keys to be 
recovered by the user. This implies that a simple key backup approach does 
not match the requirement of a good key recovery. 

(3) An attacker cannot try to impersonate to be a specific valid user without 
being detected and recovers that user’s passwords or keys via the assistance 
from the key recovery server which acting as an oracle. In another word, 
any on-line impersonating and guessing attack should be detectable by the 
recovery server. 

(4) In the real world of using digital systems, any user may have many passwords 
or keys to remember, however the user does not have to keep a cleartext 
backup of them in order to prevent forgetfulness. 

(5) Even if the user loses his local copy of the most important personal secret 
information, the key recovery scheme should also enable the server to as- 
sist the user to recover his password or key. Although, in this situation, it 
maybe requires the user to return back to the recovery server physically and 
performs the recovery process. 

The requirement (1) implies that the user can request a key recovery service 
through an on-line process performed from a remote location instead of returning 
back to the recovery server physically. To realize this useful functionality, a key 
recovery scheme itself should also provide both authenticity and secrecy in order 
to avoid impersonation (to be discussed in the requirement (3)) and to protect 
the recovered passwords or keys. 

As to the requirement (2), since the secret information to be recovered may 
be a password to log into a computer system connected to the Internet. It is not 
reasonable to enable the server to know the exact secret information. 

The requirement (3) is crucial because that the stored information (e.g., the 
value of mod P in the Bell Labs scheme) in the user’s machine used to 
recover the forgotten password or keys may be accessible to an internal attacker 
in some situations. However, it is not reasonable for an attacker with access to 
the above stored information to recover the passwords or keys via the assistance 
from the trusted recovery server. This will open a backdoor of a key recovery 
system. Therefore, this suggests that the stored information for key recovery to 
be user specific or under the protection by using an important password or key 
of the specific user in order to avoid impersonation. Furthermore, since a remote 
key recovery process will be performed, any on-line guessing attack if happen 
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should be detectable by the recovery server. The key recovery scheme should 
guarantee that the recovery server will not be used as an oracle by an attacker 
impersonating to be a specific valid user without being detected and trying to 
recover that user’s passwords or keys. 

The requirement (4) says that key recovery server should provide promising 
service to its users to help them to reconstruct important information. Otherwise, 
a trivial solution that each user keeps a backup of all his passwords or keys in a 
secret (although it is difficult to define precisly) place is enough. 

The requirement (5) is to make the scheme be robust enough. After regis- 
tering to the recovery server, each user may select or receive some long term 
personal secret information which will be used to help recovering the working 
passwords or keys. However, it is not reasonable that the passwords or keys 
cannot be recovered forever if that long term personal information is lost. 

Some issues of chosing and using passwords and keys are described in the 
following. Usually it is strongly suggested that a person should not keep only 
a single password or key and uses this same password for every system that 
he has access. Often, it is suggested that a lift cycle of a password should not 
exceed three or four months, especially for remote login passwords used to enter 
a system that does not have strong intrusion detection measures. At the same 
time, people are educated to avoid of using poorly chosen weak passwords. For 
the problem of file protection, people sometimes use different passwords or keys 
for files of different security classifications. Therefore, each person will have a 
moderately amount of pseudo strong passwords or keys to remember. In this 
paper, we focus our attention on considering the problem of how to recover any 
of such pseudo strong passwords or keys if they will be forgotten under the above 
mentioned practical environment. 



3 The Proposed Key Recovery Scheme — KRS-1 

In this section, the first proposed key recovery scheme, named the KRS-I, is 
given to modify the Bell Labs scheme in order to enhance both security and 
functionary. 



3.1 The Protocol of KRS-1 

The key recovery server S has its secret key Xg and the related public key j/s = 
mod P, where P is a large prime and a is a primitive root of P. For security 
reasons, P is often selected to be a safe prime of the form P — 2q + 1 where 
q is also a large prime. A prime where P — 1 has only small factors is called 
smooth. Smooth primes should be avoided because they allow a much faster 
discrete logarithm computation US). 

When each user, say A, registers to the server, he selects a personal long 
term password Pa and gives it to the server S. Noticeably, the password Pa is 
assumed to be a simple password. This will enable the user to remember his 
long term password in a more easy way and makes the key recovery scheme be 
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robust enough. The server stores each user’s identity and the related personal 
long term password in a secure table and gives the above server’s public key to 
the user. The server’s public key and its certificate can also be retrieved through 
the network when required. 

The working key (it can be a file encryption key or a login secret to access a 
remote machine) generation and recovery protocol goes as follows. 

(1) A: Each time user A wishes to encrypt his important file, he computes the 
file encryption key K (it is assumed to be a strong password) as 

K = mod P) 

where h{) is any secure one-way hash function, e.g., [121111114] . and “pass’’^ 
is a file accessing password selected by the user for a specific classification 
of files. 

As previously described, pass should be a pseudo strong password so that 
an off-line dictionary attack is infeasible or at least with excessive cost that 
will make the attack meaningless. Besides the ciphertext Ek{M), 

i? = mod P) 

(or just as R= mod P) 0 Pa) is also stored. Of course, if two or more 

files share a common encryption key K (or file accessing password pass), 
then the value of R can also be shared. 

(2) A ^ S: When the user A forgets his file accessing password pass, he tries 
to recover the file encryption key K by retrieving mod P from R using 
his long term personal password Pa and computes 

V = ■ a’'! mod P 

where ri is a random integer selected by user A. User A then computes 

r Cl = mod P 
\ C 2 = Vs^ -V mod P 
[HV,Pa) 

where C 2 is a random integer selected by A and {ci, C 2 } are the ciphertext of 
V produced by using the ElGamal encryption scheme m- Finally, the user 
sends ci, C 2 , and h{V, Pa) along with his identity IDa to the recovery server. 

(3) A <— 5: The key recovery server first decrypts V from {ci, C 2 } by using its 
secret key Xs and checks the data integrity and originality via the assistance 
of h{V, Pa). If the above verification is correct, then the key recovery server 
computes 



T = U’"- mod P 

= modP 

= • y? mod P 



The server then returns T to the user. 



no 
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(4) A: Since A knows the random integer ri, he can recover 



yr^ = T-y-^^ (modP), 



then the file encryption key K can be recovered as h{T ■ y^ mod P). 



3.2 Security Analysis of the KRS-1 Protocol 

The reason of sending V in the ciphertext version instead of the cleartext version 
is to counteract the following off-line verifiable text attack on the long term 
password Pa (it is a simple password). If the passive attacker can intercept 
both V and h(V, Pa), then he can perform an off-line dictionary attack trying to 
recover Pa if Pa is poorly chosen. In the above protocol, the attacker can intercept 
T = V^‘ mod P from the step (3), however to derive V from the intercepted 
value T requires the server’s secret key Xs- 

An interesting problem for the above protocol is that if the user A still 
remembers his long term password Pa, then why not just storing the encrypted 
version of a working key as Ep^{K) or Ep^{pass) using Pa as the protection 
key? Therefore, the file encryption key K or file accessing password pass can be 
recovered when required without the assistance from the recovery server. 

Recall that Pa is a simple password. If the above approach is employed, then 
the attacker who has access to both the ciphertext Ek{M) and the encrypted 
version of key Ep^ (K) can conduct an off-line exhaustive search and test on the 
possible long term password Pa- 

On the other hand, in the proposed key recovery protocol, when an active 
attacker has both the knowledge of Ek{M) and R = mod P) 0 Pa he has 

to conduct the following on-line password guessing attack. However, the attack 
can be detected and can be prevented by some precautions. The attacker should 
try a guessed long term password and computes 



G = P © P^ = mod P) © Pa © P^ 



The attacker then computes V = G ■ a'~ mod P and its ciphertext {ci,C 2 } and 
the keyed hash h{V,P'a). Finally, the attacker sends IDa, {ci,C 2 }, and h{V,P'a) 
to the recovery server. If the guessed Pa is identical to Pa, then the integrity 
check will be correct and the server will return T, otherwise the active attack 
will be detected and the recovery server will take some suitable countermeasures. 
Possible countermeasures include: (1) to keep a log file and to delay the following 
attempts; (2) to advise the legal user to change his Pa- It should be emphasized 
that for a simple password based protocol, the on-line password guessing attacks 
are always possible. The main concern is that the protocol should be active attack 
detectable. 

In fact, the above on-line guessing attack can be modified to send IDt, 
{ci,C 2 }, and h(V,Pt) to the recovery server where IDt and Pt are the iden- 
tity and the personal password, respectively of the active attacker. The server 
will not detect the existence of an attack. If the recovered h{T ■ yj’’ mod P) is 
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equivalent to and can be used to decrypt Ek{M) correctly, then the 

guessed is correct and now the recovery server acts like an oracle. 

However, the above scenario is not exactly the case of a usual on-line guess- 
ing attack. First, the attacker now conducting an unusual (in terms of its high 
frequency) service request will reveal its identity. Different application environ- 
ments may take their own appropriate countermeasures, e.g., to reveal the at- 
tacker’s identity or to restrict the number of service provided within a predeter- 
mined period of time. Second, a large amount of service request (each itself will 
cost the attacker some service charge) will be necessary in order to figure out 
the possible Pa- Recall that even a password chosen by a novice it can only be 
identified with a probability of about 0.2 |0j and it will take a huge amount of 
on-line test, say on average As suggested previously. Pa should be sieved 

by some tools to rule out poorly chosen passwords. This precaution may complex 
the on-line guessing attack extensively. Therefore, such kind of on-line attack will 
be extremely unreasonable for commercial key recovery since the total amount 
of cost (paid to the recovery server) may exceed the profit of the attack or the 
cost to find pass via an exhaustive search. 



4 The Key Recovery Scheme Based on RSA — KRS-2 

In this section, the second proposed key recovery scheme, named the KRS-2, is 
given which is based on the blinding of the RSA system. 



4.1 The Protocol of KRS-2 

The key recovery server S selects two large secret primes p and q, and publishes 
n = p ■ q. Also, the server chooses a base number a with order 4>{n). The server 
publishes its RSA dH public encryption exponent e and keeps privately the 
decryption exponent d such that e ■ d = 1 (mod <l){n)) where ^(n) = (p — 1) • 
(g — 1). When each user, say A, registers to the server, he selects a personal long 
term password Pa and his identity IDa such that gcd(/Z?a, ^i(n)) = 1. When 
encoded into an integer, the identity should be unique. Alternatively, a random 
number (often called a salt) is chosen for each identity and an extended identity 
is computed by using a cryptographic hash function on the identity and the salt 
to obtain a unique IDa- The details of generating unique identity numbers are 
out of the scope of this paper. It is the same as in the KRS-I that the password 
Pa is assumed to be a simple password. The server stores each user’s identity 
and the personal long term password in a secure table. 

The working key generation and recovery protocol goes as follows. 

(1) A: Each time user A wishes to encrypt his important files, he computes 
the file encryption key K as 



K = mod n) 
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where pass is a pseudo strong file accessing password selected by the user. 
Besides the ciphertext Ek{M), 



R = mod n 

is also stored. Of course, if two or more files share a common encryption key 
K (or file accessing password pass), then the value of R can also be shared. 

(2) A ^ S: When the user A forgets his file accessing password pass, he com- 
putes 

^ = ^pass-ID,, . ^ 

where r\ is a random integer in [1, n— 1] selected by user A so that gcd(ri, n) = 
1. The user then computes 



J mod n 
\h{V,r 2 ,Pa) 

where r 2 is a random integer in [l,n — 1] selected by the user A. User A 
then sends V, r| mod n, and h{V,r 2 ,Pa) along with his identity I Da to the 
recovery server. 

(3) A <— S': The recovery server first decrypts V 2 using the decryption key d 
and checks the integrity and data originality via h{V,r 2 , Pa)- If the above 
checking is correct, then the key recovery server computes 

T = mod n 

= mod n 

where ID~^ is the multiplicative inverse of I Da modulo <()(n). The server 
then returns T to the user. 

(4) A: Since A knows the random integer ri, he can recover 

^pass ^ ^-1 

where is the multiplicative inverse of r\ modulo n. Then, the file encryp- 
tion key K can be recovered as h{T ■ mod n). 

4.2 Security Analysis of the KRS-2 Protocol 

One major difference to the previous KRS-1 protocol is that in the KRS-2 pro- 
tocol the value of V is delivered to the recovery server in the cleartext ver- 
sion. The reason of not sending U® mod n is that V can be easily obtained via 
V = mod n, where T can be intercepted from the step (3). 

If the protocol is modified to remove the inclusion of T 2 such that V is sent 
in the ciphertext version as U® mod n, the integrity and originality check value 
h{V, Pa) is sent in the step (2), and T is protected by t = (T - Pa) mod n when 
received from the recovery server in the step (3). The protection of T is to 
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avoid the direct derivation of V by computing V = mod n. However, it 

can be easily verified that an off-line verifiable text attack still applies to the 
above modified protocol. The attacker tries a guessed long term password P'^ 
and computes T = {t ■ mod n. Based on this T, the attacker obtains 

V = mod n, then the intercepted integrity and originality check value 

h{V, Pa) can be employed to verify the correctness of Pf. 

Alternatively, in the KRS-2 protocol, the inclusion of random integer r 2 is to 
prevent the possible verifiable text attack. Because the random integer T 2 selected 
by user A is sent in the ciphertext version, therefore it disables the attacker to 
guess and verify a possible Pa via the assistance of intercepted h{V,r 2 ,Pa)- To 
have a successful guess, the attacker should try both T 2 and Pa at the same time. 
However, since r 2 is a random integer in [l,n — 1] and this makes the off-line 
guessing attack infeasible. 

The situation of having the recovery server acting as an oracle in order to de- 
rive other person’s long term password Pa (in fact, it has already been described 
on how to prevent this drawback) can be avoided in the KRS-2 protocol. In the 
KRS-2 protocol, in order to recover the working key K = mod n) from 

the value R = mod n, the active attacker can only pretend to be user 

A by sending IDa, V, r| mod n, and h{V,r 2 , P^) to the recovery server. This 
will however enable the server to identify a possible attack if h{V, T 2 , P'a) is not 
correctly computed because of an incorrect P^- 

5 Conclusions 

From the view point of security engineering, commercial and even non-commer- 
cial key recovery is a necessary key management function in order to provide a 
complete and sound security application environment. Without a satisfying and 
practical key recovery solution, any research of strong cryptography can be in 
vain for many situations. This is especially true for the cases where tamper proof 
hardware for storing passwords or keys are not accessible. Furthermore, access 
of the tamper proof hardware also needs passwords. Because strong and secure 
cryptography always needs strong passwords or keys to apply and this implies 
a high risk of losing anything valuable if the keys are lost or forgotten. This 
situation applies to both individual requirement and organization requirement. 

Since key recovery is considered to be a practical issue. Practical and impor- 
tant requirements of key recovery are first pointed out in this paper. Then, two 
commercial key recovery schemes based on these identified requirements are pro- 
posed. In the future research, other key recovery requirements for more complex 
environments or largely different applications will be considered. Key recovery 
schemes based on these different models will also be developed. 
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Abstract. New techniques have been discovered to find the secret keys 
stored in smart-cards. These techniques have caused concern for they 
can allow people to recharge their smartcards (in effect printing money) , 
or illegally use phone or digital TV services. We propose a new processor 
design which will counteract these techniques. By randomising the in- 
struction stream being executed by the processor we can hide the secret 
key stored in a smartcard. The extension we propose can be added to 
existing processors, and is transparent to the algorithm. 



1 Background 

Modern cryptography is about ensuring the integrity, confidentiality and authen- 
ticity of digital communications. As such it has a large number of applications 
from e-commerce on the Internet through to charging mechanisms for pay-per- 
view-TV. As more and more devices become network aware they also become 
potential weak links in the chain. Hence cryptographic techniques are now be- 
ing embedded into devices such as smart cards, mobile phones and PDA’s. This 
poses a number of problems since the cryptographic modules are no longer main- 
tained in secure vaults inside large corporations. For a cryptographic system to 
remain secure it is imperative that the secret keys used to perform the required 
security services are not revealed in any way. 

The fact that secret keys are now embedded into a number of devices means 
that the hardware becomes an attractive target for hackers. For example if one 
could determine the keys which encrypt the digital television transmissions, then 
one could create decoders and sell them on the black market. On a more serious 
front if one could determine the keys which protect a number of store valued 
smart cards, which hold an electronic representation of cash, then one could 
essentially print money. 

Since cryptographic algorithms themselves have been studied for a long time 
by a large number of experts, hackers are more likely to try to attack the hard- 
ware and system within which the cryptographic unit is housed. A particularly 
worrying attack has been developed in the last few years by P. Kocher and 
colleagues at Cryptography Research Inc., inns). In these attacks a number of 
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physical measurements of the cryptographic unit are made which include power 
consumption, computing time or EMF radiations. These measurements are made 
over a large number of encryption or signature operations and then, using sta- 
tistical techniques, the secret key embedded inside the cryptographic unit is 
uncovered. 

These attacks work because there is a correlation between the physical mea- 
surements taken at different points during the computation and the internal 
state of the processing device, which is itself related to the secret key. For ex- 
ample, when data is loaded from memory, the memory bus will have to carry 
the value of the data, which will take a certain amount of power depending on 
the data value. Since the load instruction always happens at the same time one 
can produce correlations between various runs of the application, eventually giv- 
ing away the secret of the smart card. The three main techniques developed by 
Kocher et. al. are timing attacks, simple power analysis (SPA) and differential 
power analysis (DPA). It is DPA which provides the most powerful method of 
attack which can be mounted using very cheap resources. 

Following Kocher’s papers a number of people have started to examine this 
problem and propose solutions, see i], n. Goubin and Patarin jSj give 
three possible general strategies to combat DPA type attacks: 

1. Introduce random timing shifts so as to decorrelate the output traces on 
individual runs. 

2. Replace critical assembler instructions with ones whose signature is hard to 
analyse, or reengineer the crucial circuitry which performs the arithmetic 
operations or memory transfers. 

3. Make algorithmic changes to the cryptographic primitives under considera- 
tion. 

The last of these approaches has been proposed in a number of papers, and 
various examples have been given. For example 0 suggests essentially splitting 
the operands into two and duplicating the work load. However, this leads to at 
least a doubling in the computing resources needed to perform the cryptographic 
operation. This is similar to the defence proposed by Chari et.al 0, who propose 
to mask the internal bits by splitting them up and processing the bit shares in 
such a way that on recombination we obtain the correct result. In this way 
the target bits for the DPA selector function are not exposed internally to the 
processor and so will hopefully have no effect on the power trace. 

Kocher et.al m recommends using a level of blinding, especially when ap- 
plied to algorithms such as RSA. This again increases the computing time needed 
to implement the operation and also modifies the original cryptographic prim- 
itive in ways which could lead to other weaknesses being uncovered. This is a 
popular approach which is mentioned by a number of authors and in private 
communications. 

The second approach has been studied, for example in lEI, where the appli- 
cation of balanced architectures is described. They balance the Hamming weights 
of the operands, and propose physical shielding or adding noise circuitry. 
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It is the first approach which we consider to be the most promising, but one 
which the current literature has only considered in a passing way. We end this 
section by noting that we are not addressing the problem of making the hardware 
or software tamper resistant. This is an important area which also needs to be 
taken into consideration to produce secure microprocessors or micro-controllers, 
see P and p. 

2 Prior Work 

Essentially the defence to DPA we have in mind is an instance of what Kocher 
et.al call “temporal misalignment of traces”. This is a way to introduce noise 
which can prevent the use of DPA type techniques. 

Kommerling and Kuhn III mention various techniques that introduce a cer- 
tain amount of non-determinism into the processor. An example of this is ran- 
domised clocking which puts an element of non-determinism into the instruction 
cycle. However, they state that this does not provide enough of a defence, since 
attacks can use cross correlation techniques to remove the effect of the ran- 
domised clock. 

Kocher et.al m mention that randomising execution order can help defeat 
DPA, but can also lead to other problems if not done carefully. Kommerling 
and Kuhn mention the idea of randomised multi-threading at an instruction 
level. They describe this with a set of essentially shadow registers. The auxiliary 
threads could then execute random encryptions, hence hoping to mask the cor- 
rect encryption operation. This has its draw back as the processor is required to 
perform tasks which are in addition to the desired computation, hence increasing 
computational costs considerably. 

Chari et.al P] mention a number of counter measures to DPA type attacks. 
Including the creation of balanced hardware, clock cycles of varying lengths and 
a randomised execution sequence. They mention that for randomised execution 
sequence to be effective then the randomisation needs to be done extensively. 
For example they mention that if only the XORs in each DES jSI round are 
randomised then one can still perform DPA by taking around eight times as 
much data. In addition no mechanism is provided which would enable aggressive 
randomised execution. 

Hence for randomised execution order to work it needs to be done in a highly 
aggressive manner which would preclude the type of local randomisation implied 
by the descriptions above. In addition this cannot be achieved in software since 
a software randomiser would work at too high a level of abstraction. The ran- 
domised multi-threading idea is close to a solution but suffers from increased 
instruction count and requires a more complex processor with separate banks of 
registers, one for each thread. 

We have designed simple additions to a processor with either single or multi- 
ple execution units which allow for aggressive randomised execution of instruc- 
tions on an instruction by instruction basis, with the added bonus that every 
instruction executed is required by the algorithm. No extra execution time or 
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power are required. In addition our randomisation process requires no alteration 
to the source code, since the randomisation is done by the processor itself. Hence 
we require no modifications to the basic cryptographic primitives. 

In addition we have introduced two assembly instructions which allow for 
even greater levels of randomised execution, especially when combined with our 
basic hardware modifications. We have called this processor architecture NDISC 
for Non- Deterministic Instruction Stream Computer. 

Our new architecture will make optimal use of algorithms that have high 
instruction-level parallelism. Clapp 0 gives an analysis of some cryptographic 
algorithms from this perspective. Hence, algorithms that are optimised for use 
on current processors with multiple concurrent execution paths, as found in 
superscalar mm, parallel and VLIW architectures [Z|, will be particularly 
suitable for our new processor. 

In the following discussions we shall focus on examples such as DES |)| and 
integer multiplication, which is used in RSA jl Yj and EC-DSA nn nni. However, 
it is clear that these techniques can be applied to any cryptographic algorithm. 
Or indeed to any algorithm where it is desirable to limit the environmental 
impact of the processor, for example in reducing resonances in small computing 
devices. 



3 Non Deterministic Processors 

In order to prevent attacks based on correlating data, we have designed a simple 
addition to standard processors that randomises instruction issuing. 

Crucially, an attack works because two runs of the same program give compa- 
rable results; everything compares bar the data that is the part where the attack 
comes in. By changing the data even slightly the attacker will get a knowingly 
different trace, and by correlating the traces, one builds a picture of what is 
happening inside. 

Our protection scheme removes correlation between runs, thereby making the 
attack much harder. Our observation is that a conventional processor executes 
a sequence of instructions deterministically; it may execute instructions out-of- 
order, but it will always execute instructions out-of-order in the same way. If the 
same program is run twice in a smart card, then the same instruction trace will 
be executed. By allowing the processor at run time choose a random instruction 
ordering, we get multiple possible traces that are executed. 

Naively viewed, if there are 10 instructions without dependencies, then there 
are 10! = 3628800 different ways of executing those instructions. Of course not 
all instructions are independent, however our experiments indicate that there 
are sufficient execution traces to efficiently hide the data trace. In addition, we 
can decrease the number of dependencies using the techniques described below 
in Section E21 

Relating this to existing processor design: like superscalar processors, we se- 
lect a number of independent instructions that can be executed in any order. 
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Single Pipeline Processor 



Time 1 
Time 2 



ADD R0,R1,R1 



i 

XORR4,R5,R5 
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Two Pipeiine Processor 




ADD R0,R1 ,R1 XOR R4,R5,R5 




Non-Deterministic Computing 



ADD R0,R1 ,R1 or XOR R4, R5, R5 
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XOR R4, R5, RSorADD R0,R1,R1 
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Fig. 1. Simple comparison of how a Non-deterministic processor executes two 
instructions as opposed to other processors 



and then randomly select instructions to be executed. Unlike superscalar pro- 
cessors, we do not execute the instructions in parallel. Instead we use available 
parallelism to increase non determinism. 

In addition, there are instruction sequences that cannot be executed in paral- 
lel on a superscalar, but that can be executed in a non-deterministic manner. For 
example, the instruction sequence ADD RO , R7 , R7 ; ADD R1 , R7 , R7 (which 
first adds RO to R7 and then adds R1 to R7) can be executed either order; even 
though the instructions cannot be executed in parallel on a superscalar. 

3.1 Random Issuing 

In single pipeline processors a sequence of instructions is executed in the order in 
which they are fetched by the processor. There is a little out-of-order execution 
to help with branch prediction but this all occurs on a very small scale. On 
multiple pipeline processors there are a number of execution units through which 
independent instructions can be passed in parallel. For example, if a processor 
has a logic pipeline and an integer-arithmetic pipeline, then the following two 
instructions 

ADD RO, Rl, R1 

XOR R4, R5, R5 

may be executed in parallel in the two pipelines. One pipeline will execute the 
ADD, the other will execute the XOR. 

Our idea is the following: like a superscalar we identify instructions that can 
be issued independently, but instead of using this information to issue instruc- 
tions in parallel, we use this information to execute instructions out-of-order, 
where the processor makes a random choice as to issue order. We call this pro- 
cess Instruction Descheduling. This creates a level of non-determinism in the 
internal workings of the processor. This is illustrated in Figure E 

If such a system introduces large amounts of non-determinism then this could 
produce a significant breakthrough in reducing the effectiveness of DPA. The 
reduction in the effectiveness of DPA results from the fact that the power trace 
from one run will be almost completely uncorrelated with the power trace from 
a second run, since on the two runs different execution sequences are used to 
produce the same result. For example, a program that adds the values found in 
four memory locations may consist of the following 8 instructions: 
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10: LOAD [Rl] , R8 

II: LOAD [R2] , R9 

12: ADD R8, R9, RIO 

13: LOAD [R3] , Rll 

14: LOAD [R4] , R12 

15: ADD Rll, R12, R13 

16: ADD RIO, R13, R14 

17: STORE R14, [R5] 

The instruction LOAD [Rl] , R8 executes by first reading the value of Rl, us- 
ing that as an index into memory to read a value, X, and writing X into R8. 
The ADD instruction sums the values found in the first two operands into the 
third operand; the STORE operation stores a register- value at a specified memory 
location. 

One way of executing this program is by executing instructions [10, II, ..., 
17] in order, but another, equally valid execution path will execute [II, 10, 13, 
14, 15, 12, 16, 17]. Indeed, there are 80 different ways of executing these 8 in- 
structions that will all produce the same result. Instruction descheduling means 
that at run time the processor will select, at random, an instruction to execute, 
thereby randomising the instruction stream, and randomising the access pattern 
to memory caused by both data and instruction streams. 

Clearly at the start and end of the program there is no non-determinism. It 
is the execution of the program which will be non-deterministic and not the final 
output of the program. 



Random Instruction Selection The random instruction selection unit selects 
instructions from the instruction stream that are executable. That is, the instruc- 
tion does not depend on any result that is not yet available, and the instruction 
does not overwrite any data that is still to be used by other instructions that 
are not yet executed, or instructions that are in execution in the pipeline. 

The implementation of this closely follows the implementation of multi-issue 
processors. There is a block of logic that determines conflicts between instruc- 
tions, resulting in a set of instructions that is executable. From this set we select 
an instruction at random. Given a random number generator, which will nor- 
mally be constructed from a pseudo random number generator that is reseeded 
regularly with some entropy, we select one of the executable instructions and 
schedule it for execution. 



Conditional Branches As with superscalar processors, conditional branches 
cause a problem. The non-determinism in the code is reduced if the issue unit 
is drained on a conditional branch and filled up immediately after the branch 
is taken. As with superscalars, one solution is to employ branch prediction and 
speculative execution. 

A neater solution is to split the branch instruction into two instructions: 
settarget and leap The settarget instruction (conditionally) sets the 
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Fig. 2. Sample implementation of random issue unit 



target address for the leap instruction. As soon as a leap instruction is loaded 
into the random-issue unit, the random-issue unit executes the instruction by 
loading the prefetch program counter with the target address. 

Memory Accesses Memory accesses can be scheduled out-of-order, unless they 
interfere. Loads can be scheduled completely out-of-order if they access memory 
rather than I/O devices. Stores can be issued out of order provided that memory 
consistency is preserved. Again, this is a problem addressed in previous research 
on load-store units for superscalar processors. 

Example Implementation of a Random-Issue Unit A possible implemen- 
tation of a random-issue unit is shown in Figure |21 The instructions are read 
and stored in the instruction prefetch register. The operands of the instruction 
are decoded (we have assumed three operand instructions, although the scheme 
will also work with two and one operand instructions), and the dependencies of 
the operands are analysed using bitmasks to record dependencies: 

— A bit-mask stores the use-dependencies of each register. Each register that 
this instruction needs to read is looked up, and the bits are or-ed together. 

— A bit-mask stores the define-dependencies of each register. Each register that 
this instruction needs to write is looked up, and the bits are or-ed together 
with the previous bit-mask. 

— The bit-mask that is created is stored in a free slot of the random issue 
buffer, together with the instruction. 

In parallel, a slot of the random issue buffer for which all dependency bits are 
zero is selected at random. This instruction can be executed because it does 
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Fig. 3. Sample implementation of random selection unit 



not have any define- or use-dependencies. Then all dependencies for the selected 
instruction are cleared so that dependent instructions become executable. 

A possible implementation of a random selection unit is given in Figure 0 
IE). This unit only selects one from the 2^ bits that have a value 0. Instructions 
progress as follows through this implementation of the random-issue unit: 

— An instruction is read into the instruction register and split into its compo- 
nents including the registers used in the operands. 

— Each operand is looked up in the defined- by and used-by tables. Bit-masks 
are read indicating whether source operand registers to this operation are the 
result of a previous instruction, and if the destination register may overwrite 
a value used by previous instructions. 

— The values of these bit-masks are or-ed, resulting in a new bit-mask that 
specifies the instructions on which this instruction depends. This bit-mask 
is stored in an empty slot of the random issue table, and the instruction is 
stored in an associated slot in the instruction table. 

Instructions are selected for execution as follows: 

— For each instruction, all bits in the dependency mask are or-ed, resulting in 
a ‘0’ if there are no dependencies for this instruction. 

— From all instructions where the or results in a ‘O’, one is selected at random. 
This selected instruction is sent off into the execution pipeline. For a multi- 
issue machine 2 or more ready instructions can be chosen and executed. 

The enable signal of the random-issue unit is fed from a mode-hit which 
allows the programmer to disable random-issue so that non-determinism 
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can be switched off to debug a program. For production systems, the enable 
input should be hard- wired to 1. 

— The dependency-column for that particular instruction is erased; indicat- 
ing that any instruction that was waiting for this instruction can now be 
executed. 

This process is repeated ad infinitum. 



Random Issuing in Superscalar Processors Random issuing works both on 
pipelined and superscalar processors. For the sake of simplicity we only describe 
it in terms of single pipeline processors. In order to illustrate the effects of non- 
determinism on a superscalar machine, consider the following instructions: 



ADD 


RO, 


Rl, 


Rl 


ADD 


R2, 


R3, 


R3 


XOR 


R4, 


R5, 


R5 


XOR 


R6, 


R7, 


R7 



On a 2 processor with 2 execution unit (logic -I- arithmetic) these instructions are 
normally executed as follows. In the first clock-cycle the first ADD and the first 
XOR are executed; in the second clock-cycle the second ADD and second XOR 
are executed. Although the instructions are independent, it is still completely 
deterministic in that the ADD instructions will pass through the integer unit 
one after the other, and the XOR instructions will pass through the logic unit. 
A non-deterministic version of this superscalar processor would in execute one 
of the ADD operations and one of the XOR operations in the first clock-cycle, 
and the remaining ADD and XOR in the next clock-cycle. This way, there are 
four possible execution traces. 

A non superscalar random issue processor would take twice as long to execute 
this program, but would execute one of 12 possible execution paths. There is 
a trade-off between the number of possible execution paths and the amount 
of parallelism exploited. For maximum non-determinism, the processor should 
execute instructions in a single pipeline. 

3.2 Techniques for Increasing Non-determinism 

Non-deterministic processing opens up new challenges in processor and instruc- 
tion set design. In the following sections we examine a number of these. 

In many common cases code is generated which contains unnecessary restric- 
tions on the order in which instructions can be issued. For example, consider 
that we want to XOR 4 numbers, i?l 0 R2 0 R3 0 R4. The fastest way to per- 
form this on a machine which can XOR two integers in parallel is by computing 
(i?l 0 R2) 0 (i?3 0 R4): 



10 

11 

12 



XOR 

XOR 

XOR 



R1 ,R2 ,R5 
R3 , R4 , R6 
R5 , R6 , R5 
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In a non-deterministic machine with a single pipeline there would be two le- 
gal execution paths: [10,11,12] and [11,10,12]. However, there are actually more 
ways of computing this result, for example: (i?l 0 R3) 0 (i?2 0 R4), which gen- 
erates another power trace. We discuss two assembly instructions to increase 
non-determinism, multi-source reduction operations and Ignore/Depend instruc- 
tions. 



Multi-source Reduction Operation Many operations have a number of pos- 
sible ways of executing them. This is mainly because they involve executing a 
single operation on a set of data. An easy, and often used example, is when the 
operation involved is both associative and commutative. This happens in the 
case of addition, multiplication and XOR. 

For example, consider XORing four values in registers Rl , . . . , R4 This could 
be done in a number of ways, all of which give the same result, but all of which 
would have different power outputs. 

{{Rl 0 R2) 0 i?3) 0 i?4 = {Rl 0 R2) 0 {R3 0 i?4) 

= {{Rl 0 R3) 0 R4) 0 R2 



= {R3 0 R2) 0 {Rl 0 i?4) 

= {{R4 0 R3) 0 R2) 0 Rl. 

In standard assembly language on standard computers this would be executed 
in only one way, using a sequence such as 

XOR R1,R2,R5 

XOR R3,R4,R6 

XOR R5,R6,R5 

which corresponds to the first of the descriptions above. 

The crucial point about these multi source operations is that although the 
input and output are fixed the actual calculation steps are non-deterministic. 
There are several way in which this non-determinism can be achieved. The in- 
struction can be interpreted in microcode randomly picking registers to add, the 
instruction can be translated by the compiler into a sequence of instructions that 
can be reordered at run time, or the instruction can be translated at run-time 
into a sequence of instructions. 

A reduction instruction could be of the form 

XOR R1,R2,R3,R4, R5 

The disadvantage of this kind of instruction is that we introduce a different 
addressing scheme, with, in this case, 5 address, or even N address operations. 
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Ignore Depend Another way to increase parallelism without having to add 
extra operands to instructions it to introduce two extra instructions, IGNORE 
and DEPEND, which inform the instruction issue unit that a reduction sequence 
is to be processed. As an example, IGNORE and DEPEND will be used as follows 
to allow non-deterministic execution of i?l 0 R2 0 R3 0 i?4: 



LOAD 


#0,R5 


IGNORE 


R5 


XOR 


R5 , R1 , R5 


XOR 


R5 , R2 , R5 


XOR 


R5 , R3 , R5 


XOR 


R5 , R4 , R5 


DEPEND 


R5 



In such a block the Instruction Descheduler is told to ignore the dependencies 
on R5 between the three XOR instructions. This allows the Instruction Descheduler 
to execute the three XORs in any order. The advantage of this solution is that we 
can use a conventional three address instruction set, and just add two operations 
IGNORE and DEPEND. 

Once an IGNORE instruction on a particular register has been fetched, the 
processor will start delaying dependencies on that register; it will effectively 
ignore any dependencies, but store them for future reference in a second bit 
mask. When the DEPEND instruction is fetched, the dependency mask used will 
consist of all the delayed dependencies. The DEPEND instruction will therefore 
not complete until the dependencies have been completed. 

Note that we defined IGNORE here in such a way that any number of IGNORE 
instructions can be outstanding; one per register in the architecture. Also, in- 
structions not related to the IGNORE register can be issued between an IGNORE/ 
DEPEND pair, which will be executed as normal. 



3.3 Compiler Techniques 

Standard compiler techniques to increase concurrency by minimising dependen- 
cies between instructions can be employed to increase non-determinism. Ran- 
dom issue processors will have a limited window to look for instructions that 
can be executed non-deterministically. The window of instructions may be large 
(eg 16) but it will by its nature be limited. The size of the window may limit 
non-deterministic execution. Consider the following example code: 



LOAD 


I, RO 




ADD 


#1, RO, 


RO 


STORE 


RO, I 




LOAD 


J, R1 




ADD 


#1, Rl, 


Rl 


STORE 


Rl, J 





If the random issue window is two instructions wide, then the first two instruc- 
tions executed will be: 
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LOAD RO, I and ADD RO, RO, #1 

In this case the first three instructions depend on each other. Only when the 
window advances to the second LOAD instruction can the processor choose 
between the LOAD and STORE instruction. The number of execution paths is 
therefore limited to 4. 

However, if we resequence the original program, then the number of execution 
paths can be increased to 13 even with the 2 instruction issue window: 



LOAD 


I, RO 




LOAD 


J, R1 




ADD 


#1, RO, 


RO 


ADD 


#1, Rl, 


Rl 


STORE 


RO, I 




STORE 


Rl, J 





Hardware register renaming m can remove more dependencies. Instruction re- 
sequencing does not compromise performance or power consumption. Note that 
compilers for superscalars do not perform all necessary reorderings: they only 
perform the reorderings needed to increase instruction level parallelism. How- 
ever, there are segments of code where no parallelism can be gained but where 
extra non-determinism is available. An example are reduction operations: even 
though there is only limited parallelism in a reduction operation, any order of 
operations produces an equally valid result. 

4 Experiments 

In order to verify that a non-deterministic processor makes a DPA attack more 
difficult, we have built a simulator that outputs a power trace. We emulate a 
Sparc-like processor at instruction level, and produce a power trace. The power 
trace is based on the operands of the instructions, the type of instructions, and 
the memory/register addresses involved. We split the power consumption into 
static and dynamic component |21)|: 

— The Hamming weight of all addresses, operands, and instructions involved 
(which models the static power consumption) 

— The Hamming weight of the changes in registers, busses, and the ALU (this 
models the dynamic power consumption) 

This model closely follows the model constructed by researchers performing DPA 
on real processors FTO- 

The power trace that we produce is, obviously, not a real trace but it is suf- 
ficient to show whether we can perform differential power analysis. Our trace 
shows a worst-case situation where the power trace of a real processor con- 
tains considerable background noise caused by, for example, prefetching logic or 
random cache-replacement. Our trace is worst case in that it contains all the 
information that allows for a DPA attack, and none of the noise. Therefore, if it 
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is difficult to perform a DPA attack on our trace, it will be even more difficult 
on the real processor. 

With this simulator we have executed a DES program, and performed DPA 
on both the deterministic and non-deterministic versions. We used DES as a test 
example since this is the easiest algorithm to break using DPA. 

In Figure 0 we show the simulated DPA output using four guesses for a 
certain six-bit subkey in the DES algorithm (there are 64 guesses, we show only 
4 not to clutter the paper). The large peak on the bottom right hand graph 
corresponds to the correct subkey being chosen. 



ill 


- • 


lilt 




lit 


- • 




iii 



Fig. 4. Standard processor:DPA attack on DES 



Using exactly the same DES source code and power model on a processor 
with our method of random issuing of instructions produces the DPA outputs 
shown in Figure O The peaks have disappeared in the noise, because there is 
little correlation left. The noise contains many peaks, but none of them flags the 
correct subkey. 

From simulation data we have also calculated the total number of execution 
paths through the program. The total number of execution paths in our DES 
program is approximately 10^^®, however, only the last (or first) of the 16 rounds 
is susceptible to attack, which leaves 10^^ different execution traces. We think 
that we can further increase the number of paths by introducing more compiler 
analysis. 
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Fig. 5. NDISC processor:DPA attack on DES 



5 Conclusion and Future Work 

We have shown how one can use ideas from superscalar architectures to produce 
a randomised non- deterministic processor. This idea essentially allows a single 
instruction stream to correspond to one of an exponential number of possibly 
executed programs, all of which produce the same output. Since attacks such as 
differential power analysis rely on the correlation of data across many execution 
runs of the same program, the idea of a non-deterministic processor can help to 
defeat such attacks. 

Further research still needs to be carried out, yet we feel that the proposed 
solution to differential power analysis gives a number of advantages; such as 
the fact that program code does not need to be modified and neither speed nor 
power consumption are compromised. The simulated results show that the DPA 
attack is spoiled. 
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Abstract. With the majority of security breaches coming from inside 
of organizations, and with the number of public computing sites, where 
users do not know the system administrators, increasing, it is dangerous 
to blindly trust system administrators to manage computers appropri- 
ately. However, most current security systems are vulnerable to malicious 
software modification by administrators. To solve this problem, we have 
developed a system called sAEGIS, which embraces a smartcard as per- 
sonal secure storage for computer component hashes, and uses the hashes 
in a secure booting process to ensure the integrity of the computer com- 
ponents. 



1 Introduction 

With the rapid integration of information technology into society, the demand 
for computer system security is soaring. Despite decades of extensive research on 
information security, computer systems remain vulnerable to malicious modifica- 
tions. This trend reflects prevalent, but inaccurate, assumptions about computer 
systems: that they are trustworthy. For the purpose of this paper, we define a 
trusted computer as “a computer system that behaves as its users intend, with- 
out damaging or leaking the resource or information” Q A major problem today 
is that modern commodity computers are not trustworthy because (1) they tend 
to overlook or ignore physical security issues, and (2) they are vulnerable to 
the exploitation of software bugs. Once an adversary compromises a computer 
by one of the above two methods, he can install a malicious modification that 
defeats any security mechanism on the computer. For example, consider a Ker- 
beros client that steals a user’s password 0, an SSL client that leaks plain text 

^ This definition is narrower than the one used in the US Trusted Computer Security 
Evaluation Criteria CEl, in which the word “trusted” includes access control, covert 
channel analysis, etc. Our definition is closer to the ones used by Neumann Da, 
Brewer et al. Goldberg et al. 0, and Loscocco et al. m 
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packets or a loadable kernel module that redirects system calls to fool a 

system integrity checker pen]. 

Conventionally, the problem of trusted computing has been tackled by ap- 
proaches such as access control mechanisms jOj, layered architecture ini. sand- 
boxing pitzi]. and application-level integrity checking H3. However, all of these 
approaches trust the underlying hardware and operating system kernels, and are 
of little use if any of these components are compromised. Furthermore, many of 
the approaches require custom operating systems, which increases management 
and operational problems. 

To counter this problem, Arbaugh et al. have developed a high assurance 
bootstrap process called AEGIS PP. AEGIS ensures that a valid and autho- 
rized operating system kernel is started by verifying the integrity and authoriza- 
tion of every component that comprises the bootstrap process through the use 
of digital signatures and authenticity certificates. When it boots an operating 
system, AEGIS guarantees that the boot process takes a valid path (in terms of 
integrity and authorization) from the initial power-on event to the login prompt 
through an inductive process p. 

Although AEGIS significantly improves the security of personal computers, 
it has drawbacks. First, users must trust their system administrator to autho- 
rize, i.e., digitally sign, the trusted operating systems and applications. However, 
because (1) security threats often come from inside of organizations, and (2) in 
public computing sites, such as Internet cafes and libraries, system administra- 
tors are unknown, the user may choose not to trust the administrators. Second, 
AEGIS is inflexible: it is difficult to change the hardware configuration of a host, 
and it can boot only FreeBSD. 

To solve these problems, we have developed sAEGIS, which integrates a 
smartcard into the bootstrap process. In sAEGIS, we use a smartcard to store 
the set of component hashes that the holder of the smartcard authorizes, pushing 
control over the selection of approved components from the system administrator 
to the user. We also have ported AEGIS to support GRUB |Bj, a free and flexible 
boot loader, which supports a larger set of operating systems. 

The remainder of the paper is structured as follows. First, we provide a brief 
review of AEGIS. Next, we present the design of s AEGIS and analyze its security. 
Then, we describe the implementation and provide performance benchmarks for 
sAEGIS. Finally, we conclude the paper and provide details of our future work. 



2 Background: AEGIS Secure Bootstrap Process 

Here we review AEGIS to provide background for understanding sAEGIS. 

AEGIS is a secure bootstrap process, whose goal is to provide a trusted 
foundation on a computer system. As described in Section ^ a modern computer 
system cannot usually be trusted because of the lack of physical security, and 
an untrusted initialization process. One way of addressing this problem is to 
ensure the integrity of a computer system. A system is said to possess integrity 
if no unauthorized modification has been made to it. Denning defines integrity 
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similarly for communication [3 . AEGIS assures integrity of a personal computer 
at boot time, through a process called chaining layered integrity checks, which 
uses induction and digital certificates. 

AEGIS works as follows: 

1. A system administrator, or other authorized party generates a hash, H, of a 
bootstrap component, and creates a certificate, (7, which includes a unique 
component identifier, an expiration date, and H. 

2. The authorized party signs C with her private key. 

3. C is then stored in the component if possible, and, if not, then in a data 
block of the flash memory device on the host’s motherboard. 

4. Execution control is passed to the component if and only if: 

(a) The certificate, C, has not expired. 

(b) The signature of C is valid, and 

(c) The hash value stored in the certificate matches the computed value of 
the component under consideration. 

It is important to note that AEGIS provides integrity guarantees only for 
starting a system. Once a system is running, AEGIS does not provide any guar- 
antees that the integrity of the OS remains valid. 

As described in Section [0 AEGIS has two problems. First, the user is forced 
to trust the system administrator because the certificates are stored in the com- 
ponent or the BIOS, both of which are controlled by the administrator. The 
administrator can create and install malicious software by simply creating and 
signing a component certificate. AEGIS cannot detect the malicious software 
because the component passes all of the validity tests described earlier. The sec- 
ond problem is the lack of flexibility. The bootloader used in AEGIS can boot 
only FreeBSD. Furthermore, hardware re-configuration on AEGIS requires the 
creation and installation of new device certificates. Because of its size limitation, 
BIOS (which is in a flash memory chip) cannot store file system drivers, and is 
unable to access data on the hard disk. 

Readers interested in the further details of AEGIS are advised to refer to 
articles 121 0 |. 

3 Design 

3.1 Design Goals 

The goal of s AEGIS is as follows: 

— Personalization 

In AEGIS, it is a system administrator’s responsibility to manage certifi- 
cates and MAGs. By embracing a smartcard as a personal storage of MAGs, 
s AEGIS hands the control to the users. 
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— Authentication 

In AEGIS, a user who attempts to boot a computer is not authenticated. 
That is, anyone who can invoke the boot process, for example, by hitting 
the reset button, may boot it. sAEGIS boots an operating system only if 
a correct smartcard and associated PIN are presented by a user. This two- 
factor authentication (what-you-have and what-you-know) makes theft of a 
mobile computer less threatening, as the thief cannot use the computer. 

— Operating System Flexibility 

The only operating system the AEGIS prototype is able to boot is FreeBSD. 
In contrast, s AEGIS employs a free, flexible boot loader called GRUB j^l to 
boot several operating systems, namely, Linux, FreeBSD, NetBSD, OpenBSD, 
Windows 9*, NT, and 2000. 

— Hardware Gonfiguration Flexibility 

In AEGIS, the certificates are stored in a flash memory chip, which is hard to 
configure. In s AEGIS, because the smartcard access library is small enough 
to fit into the flash chip, the hardware configuration information, certificates, 
and MAGs can be moved to the smartcard, which is more easily configured 
than the flash chip. 

In the above four goals, the first three were achieved in our sAEGIS pro- 
totype. The reason why the last goal was not achieved is discussed in Section 

□ 

3.2 Design Overview 

In a nutshell, sAEGIS = AEGIS -I- GRUB -I- smartcard -|- verify. That is, (1) 
sAEGIS relies on AEGIS to boot GRUB securely, (2) GRUB boots an operating 
system kernel securely using a smartcard for verification, and (3) the kernel 
checks the integrity of daemons with an application called verify. 

The basic idea behind sAEGIS is as follows: if a lower layer verifies the 
integrity of all higher layers before booting them, the system integrity is ensured. 
Therefore, to comprehend the design of sAEGIS, it is essential to understand 
which component verifies and boots which, and how. The bootstrap process of 
sAEGIS is summarized in the following events, in chronological order. 

1. Power on Self Test {POST). The processor checks itself. 

POST is invoked by either applying power to the computer, hardware reset, 
warm boot {ctrl-alt-del under DOS), or jump to the processor reset vector 
invoked by software. This starts the bootstrap process. 

2. BIOS section I verifies itself and BIOS section 2, and boots section 2. 

In sAEGIS, BIOS is divided into two parts, section 1 and section 2. The 
former contains the bare essentials needed for integrity verification, such 
as a cryptographic hash function (MD5 and SHAl), a public key function 
(RSA), and the public key certificate of a trusted third party. The integrity 
of this part is assumed, i.e., it is assumed to never be modified. Discussion 
about this assumption is in Section 14.31 
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BIOS section 1 reads the certificate of itself from the flash chip, and verifies 
itself. 

BIOS section I reads the binary and certificate of BIOS section 2 from the 
flash chip, and verifies the binary. If the check goes through, it boots section 

2 . 

3. BIOS section 2 verifies the ROM of extension cards, and executes them. 
BIOS section 2 reads the programs stored in the ROM of extension cards, 
reads the associated certificates from the flash chip, and verifies the pro- 
grams. If the check goes though, it executes them. 

4. BIOS section 2 verifies GRUB stage I, and boots it. 

GRUB is divided into two parts, stage I and stage 2, because an Intel- 
compatible personal computer requires a primary boot loader to be no more 
than 512 bytes long. Stage 1 is booted by BIOS section 2; and stage 2 is 
booted by stage 1. 

BIOS section 2 reads the binary of GRUB stage 1 from a floppy disk, reads 
the certificate from the flash chip, verifies the binary, and boots it. 

5. GRUB stage 1 verifies GRUB stage 2, and boots it. 

GRUB stage 1 reads the binary and certificate of GRUB stage 2 from a 
floppy disk, verifies the binary, and boots it. 

6. GRUB stage 2 verifies the kernel and the verification tools, and boots the 
kernel. 

GRUB stage 2 mounts the file system (typically on a hard disk) that stores 
a kernel, verify, and a shell script that invokes verify (e.g., 

/etc/rc . d/init . d/inet on UNIX). It reads these files from the file system, 
reads the MAGs from a smartcard, and verifies the files. If the check goes 
through, it boots the kernel. 

7. The kernel uses the verify application to verify the important files, and 
starts the system daemons that pass the check. 

verify is invoked by the kernel at boot to check important files. If the check 
fails, the kernel does not start the related daemons. The important files are 
system daemons (e.g., login, logind, ssh, and sshd should be verified on 
UNIX to detect a password sniffer), configuration files (e.g., SYSTEM.INI 
should be verified on Windows to detect a Trojan horse), and shared li- 
braries (e.g., GINA.DLL should be verified on Windows NT / 2000 to detect 
a password sniffer). 

The bootstrap process is depicted in Figured 



3.3 Smartcard Communication Protocol 

In step 6 of the list presented above, a workstation and a smartcard carry out a 
protocol to (1) authenticate the smartcard and (2) verify the hash presented by 
the workstation. The protocol is shown in Figure 0 and is described as follows. 



Personal Secure Booting 135 



> Boot 

- - - ► Check MAC 
► Refer 




Fig. 1. Bootstrap Process 
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Fig. 2. Smartcard - Workstation Communication Protocol 
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Workstation: 

— obtain PIN from the user 

— compute the hash of the kernel : m = SHAl{kernel} 

— generate a random challenge : r 

— encrypt {m,r} with public key : {m,r}K^^^ 

— send {m,r}K^^^ to the smartcard, along with the PIN 



Smartcard: 

— check PIN; if the PIN does not match, set ANSWER to ERR 

— decrypt {m, r} with private key 

— compare m to the stored hash, and set ANSWER to OK or ERR 

— sign {ANSWER, r,m} with Kprv : {ANSWER,r,m}KpYv 

— send it to the workstation 



Workstation: 

— encrypt {ANSWER,r,m}KpYv with 
~ make sure it is signed by the smartcard. 

~ if (ANSWER == OK and r == original r and m == original m) continue 
with boot, otherwise, halt the boot process 



4 Security Consideration 

In this section, we discuss the security of our design. 



4.1 Model 

We start with constructing a model of the system. The model consists of the 

following participants: 

Alice (A) A legitimate user who wants to boot and use a personal computer. 
She owns a smartcard. 

Smartcard Alice’s smartcard. It stores a private key, Aprv, and MACs. It is 
PIN protected, i.e., a secret number must be presented before it is used. It 
blocks itself if a wrong PIN is typed for n consecutive times. 

Mallory (M) An adversary. 

Personal Computer (PC) An Intel-compatible personal computer to be ver- 
ified and booted. It consists of BIOS section I and 2, extension cards, GRUB 
boot loader stage I and 2, an operating system kernel, verify, and the other 
files. 
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4.2 Claims 

Here we claim the security properties of s AEGIS. 

System integrity after boot 

When a PC is booted using s AEGIS, the integrity of the following compo- 
nents of the PC are ensured; BIOS, extension cards, GRUB boot loader, 
operating system, and the other files that are verified. 

User authentication 

When a PC is booted using sAEGIS, it has been booted by a legitimate user. 

4.3 Assumptions 

We make the following assumptions in our model. 

1. BIOS section 1 is integral. 

We assume that the BIOS section 1 is not modified. This guarantees that 
section 1 starts up the sAEGIS bootstrap process every time the PC is 
booted. 

The security property of the entire sAEGIS system relies on this assumption 
because BIOS section I is the base of the secure bootstrap. If BIOS section 1 
is modified maliciously, BIOS section 2 may not be verified correctly, result- 
ing in a compromised section 2. This leads to a compromised GRUB stage 
1, stage 2, and finally, a compromised operating system kernel. This defeats 
the goal of sAEGIS. 

We believe this assumption is reasonable. A portion of Intel’s latest genera- 
tion of flash ROM can be write-protected by setting one of the PINs (RP#) 
to high PJ. Although this protection can still be compromised by setting 
one of the jumper switches on a chip set, this attack can be countered by 
storing BIOS in ROM, prohibiting any modification. 

2. Mallory can read anything in the PC, but nothing in the smartcard. 
Mallory can read any data stored in the PC. However, she cannot read any 
data in the smartcard. This is a reasonable assumption because it is usually 
easy to physically open a PC and access data storage in it. In contrast, a 
smartcard is tamper-resistant. While a smartcard suffers from newly devel- 
oped attacks 01T3, we ignore such attacks in this paper because (1) a 
smartcard is still much harder to compromise than a PC, and (2) smartcard 
developers are devising countermeasures to the new attacks. 

3. Mallory can write anything in the PC except in BIOS section I. She cannot 
write anything in the smartcard. 

Similarly to Assumption 2, Mallory can write anything in the PC except in 
the protected region. However, she cannot write anything in the smartcard. 

4. Cryptographic functions are strong. 

We assume that cryptographic hash functions (MD5 used in BIOS, and SHAl 
used in GRUB stage 2) are collision-free. We also assume that the random 
number generator used in the protocol given in Section l3.3l is unpredictable. 
Finally, we assume that our principal cipher, RSA, is impossible to compro- 
mise in a reasonable amount of time. 
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5. Mallory does not know Alice’s private key. 

6. Mallory can snoop and modify messages on the serial port in which the PC 
and the smartcard are communicating. 



4.4 Attacks 

Modification to PC’s Components By Assumption 3, Mallory can modify 
anything she wants in the host except the BIOS section 1. However, if she does, 
Alice will notice it at the next boot because sAEGIS verifies every byte of code 
executed during the bootstrap process. By Assumption 1, a correct bootstrap 
process will be invoked every time Alice boots the PC. By Assumption 4, Mallory 
cannot forge a certificate or a MAC without knowing Alice’s private key, and 
this does not happen, by Assumption 5. 



Modification to PC’s Components after Boot Being a secure bootstrap 
system, sAEGIS makes no attempt to protect the PC after it is booted. Mallory 
can modify the system maliciously, e.g., install Trojan horse or a sniffer. However, 
Alice can always restore the integrity the PC by rebooting it. 



Unauthorized Boot Attempt Mallory may steal the PC and try to use it. 
This is impossible unless Mallory obtains Alice’s smartcard and PIN, as the au- 
thentication protocol presented in Section prevents such an attempt. Without 
knowing Alice’s private key, ATprv (Assumption 2 and 5), Mallory cannot produce 
{OK, r, m}Aprv, because the random number generator is strong (Assumption 

4). 

Mallory may try to replay an OK message (OK, r, m}Aprv, but this does 
not work either because of the random nonce, r. 

Mallory may try a man-in-the-middle attack, i.e., modifying the kernel and 
replacing the message from the host, jm’, r}Ap.|^|^, with |m, r}Ap.|^|^. The smart- 
card, not knowing the hash value was altered, sends an OK message. However, 
the workstation notices the attack because the hash values m and m’ do not 
match. 



Serial Cable Wiretapping By Assumption 6, Mallory can read and write 
messages on the serial cable connecting the PC and the smartcard. However, she 
cannot produce {OK, rjATpry. 

PIN Theft Mallory may obtain Alice’s PIN by breaking into the PC, or by 
sniffing the serial cable. This is a common problem for today’s smartcard sys- 
tems because a PIN is entered on the keyboard of the PC, and is transmitted 
to the smartcard through a serial cable. This problem can be addressed by a 
smartcard reader with a built-in PIN pad. For example, SPYRUS produces such 
a smartcard reader m Another approach to this problem is to use a one-time 
pad for PINs, thus making replay of a PIN meaningless. 
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Mallory as System Administrator Mallory may be Alice’s malicious system 
administrator, and may try to compromise her secrets. For example, consider a 
case in which Mallory tries to read Alice’s e-mail. Alice may encrypt her e-mail 
with a secure mail tool, e.g., PGP. However, without a system like sAEGIS, 
Mallory can modify the executable code of PGP to leak information. sAEGIS 
prevents this by detecting such modifications. If the operating system and appli- 
cation software vendors publish the signatures of their software, Alice can store 
the signatures in her smartcard, and can check the system. 

It is still unclear whether we can counter all the possible attacks mounted 
by system administrators because security software usually is written with the 
assumption that system administrators are trustworthy, and attacks by system 
administrators have not been well studied. However, we believe that sAEGIS is 
the first step to counter such attacks. 

5 Implementation 

We describe the sAEGIS prototype, which is an implementation of the design 
described in Sectional It is implemented on an ASUS P55T2P4 Pentium moth- 
erboard, running a 233 MHz AMD K6 processor. 

The prototype is based on the AEGIS prototype by Arbaugh et al. We do 
not go into the details of the AEGIS implementation. sAEGIS uses GNU GRUB 
0.5.93.1. Interested readers should consult with GRUB’s website |S| for details. 

5.1 GRUB Stage 1 

GRUB stage 1 is modified to verify GRUB stage 2 before jumping to it. Stage 
1 tells AEGIS where stage 2 starts (0x800 : 0) and how large it is, and calls the 
AEGIS interrupt (0xc2). 

5.2 GRUB Stage 2 

GRUB stage 2 is modified to carry out the protocol described in Section [f.3L 
First, to communicate with a smartcard through a serial port, the smartcard 
communication library is implemented by replacing the system-dependent part 
of the sc7816 library izq with modified serial console access routines 
in OpenBSD-2.4 (/usr/src/sys/dev/ic/com. c). 

Then, it needs some cryptographic functions. SHAl routines in GRUB are 
ported from Kerberos version 5-1. 0.5 distributed by MIT. RSA routines are taken 
from PGP 2.6.2. 

In this prototype, random number generation is not implemented. It is re- 
placed with a constant. 

The kernel command in the GRUB user interface loads a kernel from a file 
system to main memory. This command is modified to invoke the verification 
protocol before letting GRUB boot the kernel. Another command, updatehash, 
is added to update the SHAl hash so that files can be verified in addition to the 
kernel. 
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5.3 verify 

verify is a C program that reads a given file, computes its hash, verifies it with 
a hash stored in a file, and returns the result of verification. An example use of 
verify is as follows. In this example, verify makes sure inetd is not modified 
before it is started. 

/ etc/rc . d/ init . d/inet : 

/boot/verify /usr/sbin/inetd 
/boot/hash-table .txt && 
daemon /usr/sbin/inetd 

In future implementation, verify should use hashes stored in a smartcard. 



5.4 Smartcard-Side Code 

The program in the smartcard is implemented in a Schlumberger Cyberflex 
Access smartcard with Java. Cyberflex Access is the only smartcard we know 
that offers both programmability and cryptographic functions (DES, RSA, and 
SHAl). 

The smartcard reads 128 byte input from GRUB, decrypts it with the RSA 
private key. It then compares the hash value with the one previously stored in 
its memory and determines whether the kernel image is unmodified. It concate- 
nates its reply (0x8080808080808080 if OK, 0x4040404040404040 if not) with 
the random key and signs the resulting string with the RSA private key. Finally, 
it sends the result to GRUB. 

In this prototype, the kernel hash is not included in the message sent from the 
smartcard to the host because the necessity for checking this value was identified 
after the prototype was implemented. In addition, a smartcard can hold only one 
SHAl hash value. This should be improved to allow more flexibility. 



6 Performance Evaluation 

To evaluate the efficiency of sAEGIS, the boot process is timed. The following 
is the amount of time elapsed from the time that a PC is powered up until 
an operating system starts the last system daemon. In addition, the smartcard 
access time (the time spent in the protocol in Section tl..4) is measured, as it is 
one of the most expensive components. 

Measurement was carried out on Linux 2.2 (RedHat 6.2) with a 233 MHz 
AMD K6 processor. We used the RDTSC instruction to obtain the number of 
ticks after the processor powers up. All the numbers are in seconds, and are 
averages of 5 trials each. Variance is small. 
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time (sec) 


boot with sAEGIS 


69.55 


boot without sAEGIS 


57.88 


difference 


11.67 





time (sec) 


smartcard access 


5.54 



The result shows that sAEGIS adds 11.67 seconds to the bootstrap process. 
About half of the added cost is for accessing the smartcard. The other half 
includes the following: 

— Code checking, which involves MD5 hashing and RSA operations. More de- 
tails about this are available 0. 

— Loading GRUB, which is 77KB, from a floppy disk, takes more time than 
loading the much smaller (4.5KB) Linux boot loader, LILO, from a hard 
disk. 

Adding 11.67 seconds to the bootstrap process, which already takes 1 minute, 
is acceptable in many environments. 



7 Discussion 

7.1 Key Management 

To use sAEGIS effectively, it is essential to manage the private key in the smart- 
card appropriately. We describe two ways of managing private keys. 

First, if the computer to be protected is personal, e.g., a laptop computer, 
one computer is associated with one owner. Therefore, the private key should be 
unique, and should be known only to the owner of the computer (i.e., should be 
only in the owner’s smartcard). sAEGIS can prevent an adversary from booting 
the computer, thus discouraging theft of the computer. This approach may cause 
a problem when a smartcard is lost, broken, or stolen because the associated 
computer is no longer usable. Some kind of key escrow system is needed to 
address this problem. 

Second, if the computer to be protected is public, e.g., in a library, or in an 
Internet cafe, one computer is associated with many users. The current sAEGIS 
prototype cannot provide such multi-user authentication because it has only one 
key pair between the smartcard and the computer. To achieve this, some multi- 
user authentication mechanism is necessary, e.g., a certificate-based mechanism 
with revocation, or a symmetric key-based mechanism such as Kerberos. An 
alternative to this is not to authenticate users at boot time, let anyone boot 
the computer, and rely on application level authentication. sAEGIS can achieve 
this by assigning the same private key for multiple users. The trade-offs between 
these two approaches are under discussion. 



142 



Naomaru Itoi et al. 



7.2 Future Direction 

Fix Implementation Limitations Four implementation limitations described 
in Section 0 should be fixed, namely, (1) no random number generator, (2) 
verify does not use a hash in the smartcard, (3) kernel hash, m, is not included 
in the message the smartcard sends to the workstation, and (4) the smartcard 
holds only one hash. 



Smartcard Access from BIOS To achieve Goal 4 described in Section FTTl it 
is necessary to move the smartcard access library into BIOS. The library is 11 
KB, so the size should not be a problem for the IM Hash BIOS. 

Unfortunately, one of the authors who was responsible for smartcard pro- 
gramming did not have permission to access the BIOS source code. Instead of 
working out licensing issues, we decided to implement a prototype, and to wait 
until open-source BIOS projects are mature enough to be used as the next plat- 
form iraEOj . 

8 Conclusion 

We have implemented a personal, secure bootstrap process, sAEGIS, which is an 
extension to AEGIS. Advantages of sAEGIS over AEGIS are: (1) the smartcard 
lets users control what they use, (2) the smartcard serves as an authentication 
token, and (3) it is more flexible than AEGIS. 

The following two aspects highlight the value of this work. 

— Improvement to important software 

As attacks that modify an operating system itself are becoming more com- 
mon, secure bootstrap, such as AEGIS, is strongly demanded. One of the 
problems of AEGIS is the lack of flexibility: it can only boot the FreeBSD 
kernel, and it requires reprogramming of a flash chip when the hardware 
configuration is changed. We solved the former problem, and proposed a 
solution to the latter. 

— Idea of personalization 

sAEGIS suggests a system in which the user does not have to trust system 
administrators. We believe it is a huge security gain because many attacks 
come from inside organizations. 



Acknowledgments 

We thank Jim Rees at the University of Michigan for directing us about se- 
rial communication in a boot loader. We thank Professor Peter Honeyman and 
Professor Brian Noble at the University of Michigan for their advice. 

This work was partially supported by a research grant from Schlumberger, 
Inc. 



Personal Secure Booting 143 



References 

[1] Rootkit homepage, http:// www.rootkit.com/. 

[2] William A. Arbaugh. Chaining Layered Integrity Checks. PhD thesis, University 
of Pennsylvania, 1999. 

[3] William A. Arbaugh, David J. Farber, and Jonathan M. Smith. A secure and re- 
liable bootstrap architecture. In 1997 IEEE Symposium on Security and Privacy, 
Oakland, CA, May 1997. 

[4] S. M. Bellovin and M. Merritt. Limitations of the Kerberos authentication 
system. In Proceedings of the Winter 1991 Usenix Conference, January 1991. 
ftp: / /research. att .com / dist / internet_security / kerblimit .usenix.ps. 

[5] Eric Brewer, Paul Gauthier, Ian Goldberg, and David Wagner. Basic flaws in 
internet security and commerce, 1995. http:// www.ao.net/ netnigga/ endpoint- 
security.html. 

[6] A. Dearie, R. di, J. Farrow, F. Henskens, D. Hulse, A. Lindstrm, S. Norris, 
J. Rosenberg, and F. Vaughan. Protection in the grasshopper operating system, 
1994. 

[7] Dorothy Denning. Cryptography and Data Security. Addison- Wesley, 1983. 

[8] Free Software Foundation. Gnu grub, 1999. http://www.gnu.org/ software/ grub/ 
grub.html. 

[9] Ian Goldberg, David Wagner, Randi Thomas, and Eric Brewer. A secure envi- 
ronment for untrusted helper applications. In Proceedings of 6th USENIX Unix 
Security Symposium, July 1996. 

[10] halflife. Bypassing integrity checking systems. Phrack Magazine, September 1997. 
Volume 7, Issue 51, Article 9 of 17. 

[11] Peter Hazen. Flash memory boot block architecture for safe firmware updates. 
Technical Report AB-57, Intel, 1995. http://developer.intel.com/ design/flcomp/ 
applnots/292130.htm. 

[12] Gene H. Kim and Eugene H. Spafford. The design and implementation of tripwire: 
A file system integrity checker. Technical report, Purdue University, 1995. CSD- 
TR-93-071. 

[13] Paul Kocher, Joshua Jaffe, and Benjamin Jun. Introduction to differ- 
ential power analysis and related attacks. Gryptography Research, 1998. 
http://www.cryptography.com / dpa / technical / index.html. 

[14] Oliver Kommerling and Markus G. Kuhn. Design principles for tamper-resistant 
smartcard processors. In Proceedings of USENIX Workshop on Smartcard Tech- 
nology, Chicago, May 1999. 

[15] Linux bios, http://www.acl.lanl.gov/ linuxbios/. 

[16] Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Tay- 
lor, S. Jeff Turner, and John F. Farrell. The inevitability of failure: The flawed 
assumption of security in modern computing environments. In 21st National 
Information Systems Security Conference, Crystal City, Virginia, October 1998. 
National Security Agency, NISSC. http://www.jya.com / paperFl.htm. 

[17] H. Nag, R. Gotfried, D. Greenberg, C. Kim, B. Maccabe, T. Stallcup, G. Ladd, 
L. Shuler, S. Wheat, and D. van Dresser. Prose: Parallel real-time operating 
system for secure environments, 1996. 

[18] Peter G. Neumann. Architectures and formal representations for secure systems, 
1996. Technical Report SRI-CSL-96-05, Computer Science Laboratory, SRI In- 
ternational. 




144 



Naomaru Itoi et al. 



[19] Department of Defense. Trusted computer system evaluation criteria, December 
1985. http:// www.radium.ncsc.mil/ tpep/library/ rainbow/5200. 28-STD.html. 

[20] Openbios. http://www.freiburg.linux.de/ OpenBIOS/. 

[21] Jim Rees. Iso 7816 library, 1997. http://www.citi.umich.edu / projects / sinciti 
/ smartcard / sc7816.html. 

[22] Spyrus. http:// www.spyrus.com/. 

[23] R. Wahbe, S. Lucco, T. Anderson, and S. Graham, client software-based fault 
isolation, 1993. 




Evaluation of Tamper-Resistant Software 
Deviating from Structured Programming Rules 



Hideaki Goto, Masahiro Mambo, Hiroki Shizuya, and Yasuyoshi Watanabe 

Graduate School of Information Sciences, Tohoku University 
Kawauchi Aoba Sendai, 980-8576 Japan 



Abstract. Recently the demand to make software resistant to manipu- 
lation is increasing. Similarly the demand to hide operation of software 
or to hide secret used in software is increasing. Software possessing such 
properties is called tamper-resistant software. One of methods to real- 
ize tamper-resistant software is obfuscation of software, and evaluating 
such software objectively and quantitatively has been an important re- 
search subject. One of the known objective and quantitative methods 
is the method using a parse tree of a compiler proposed in mMlV18l¥71 . 
This method takes into account the complexity in one module of soft- 
ware but not the complexity originated from relationships among mod- 
ules. We propose at first several obfuscation methods to create a compli- 
cated module structure which violates the structured programming rules. 
Then, we propose a new evaluation method which can measure the diffi- 
culty caused by complicated structure among modules. Its effectiveness 
is proven through experiments. One of experiments shows the grades ob- 
tained by the proposed evaluation well reflects the actual reading time 
required by analysts. 



1 Introduction 

Tamper-resistance is a property such that secret object hidden inside is hardly 
observed or modified from the outside. Software/hardware with such attribute 
is called tamper-resistant software/hardware. Tamper-resistant hardware intrin- 
sically requires a special physical device so that there are problems of cost and 
handling. In contrast, tamper-resistant software |Auc96| IM'l 'IRTl IIVIIVI()98) is 
expected to require less production cost. Also, due to no physical limitation, it 
can be delivered through electronic network. If we can create promising tamper- 
resistant software, we can replace a certain type of tamper-resistant hardware 
with its software version. 

There is high demand for tamper-resistant software in the electronic com- 
merce systems and agent systems. For example, a bank wants to prevent cus- 
tomers from modifying its software for handling electronic money. Customers 
succeeding in the modification may be able to cheat merchants as well as the 
bank. Similarly, mobile agents should not be modified in a remote place. If 
tamper-resistant software has enough strength against analysis and manipula- 
tion, its users have no choice but to obey the process designated by the software. 



V. Varadharajan and Y. Mu (Eds.): ACISP2001, LNCS 2119, pp. 145-^^^ 2001. 
(c) Springer-Verlag Berlin Heidelberg 2001 
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Obfuscation is one of approaches to generating tamper-resistant software. In 
this approach the description of software is converted into another one which 
analysts cannot easily read. Analysts who cannot understand the algorithm of 
software fail to properly modify the software. We can consider obfuscation in 
different levels of language, e.g. assembly language and high-level language like 
C. Software is often distributed in a binary form, but it is sometimes distributed 
in source code. One can imagine free application software for UNIX and codes 
written in script languages like Perl and Java Script for such distribution. Mean- 
while, even software distributed in a binary form may be transformed into source 
code by reverse engineering. Therefore, obfuscation of source code has its own 
importance. 



There are several known methods for making software hard to read. For exam- 
ple, several basic operations such as dummy code insertion, code replacement and 
code shuffling are proposed for the assembly language in fMMOflSj . Modification 
of class files into a complicated form is proposed for Java in jnimEHnni. 
Modification of the structure of loop into a complicated form and separating 
source code into modules are proposed for the C language in [MTT97] and in 
miHnzi, respectively. 

In order to produce reliable tamper-resistant software, it is necessary to eval- 
uate the difficulty of reading tamper-resistant software. So far the following eval- 
uation methods are known. In IMTTfl7l a subject is requested to read tamper- 
resistant source code of C language and its reading time is counted. Without 
doubt this method is affected by the skill and subjectivity of each analyst. Thus 
an alternative objective and quantitative evaluation method should be estab- 
lished. There are several evaluation methods which are regarded to be objective 
and quantitative. In |MM()98j the distribution of opcodes is observed for evalu- 
ating the assembly language. In fCIMMSOPj the depth and weights of a parse tree 
created by a compiler is counted for evaluating the high-level language. There 
is another approach of [AMflfl] which tries to evaluate the complexity of finding 
out a secret hidden inside tamper-resistant software. In this method data of a 
block cipher appearing in memory is observed and time required for identifying 
a secret key out of the data is counted. 



In this paper we seek to objectively and quantitatively evaluate the diffi- 
culty of reading tamper-resistant software written by a high-level language. As 
explained above, there is a proposal of |(IMAIS()T7| for such evaluation. How- 
ever, the method proposed in |(IAIAIS0T7| solely evaluates the complexity of the 
internal structure of a module, and does not take into account the complex- 
ity originated from relationship among modules. Therefore, we examine i) how 
to create a complicated structure among modules and ii) how to evaluate the 
complexity originated from relationship among modules. Regarding the second 
subject we give experimental results on the validity of our measure in compar- 
ison with the actual reading time required by analysts. Such a comparison was 
not examined in [KIM MS(¥!j . 

This paper is organized as follows. After the introduction, we explain in Sect El 
notations, definitions and the evaluation method used in KIM MSOTl. which is 
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also used in our paper. In Sect|2l we explain new obfuscation methods. Then in 
Sect0 we propose an evaluation method which can measure the difficulty caused 
by the obfuscation method in the previous section. In Sect 0 we conduct exper- 
iments and show evidence on the effect of our evaluation. Finally, conclusions 
are given in SectIHI 

2 Preliminaries 

2.1 Notations and Definitions 

Since we improve the evaluation method proposed in j(lM MS()n| . we use their 
notations and definitions. 

An algorithm T to generate tamper-resistant software converts a source code 
c(/) of an algorithm / into another source code TRC{f) of tamper-resistant 
software of /, where TRC is the acronym of Tamper- Resistant Code. 

Given parameters (t, s), {t, s) -tamper-resistant software satisfies the following 
conditions. 

1. Let Pc and Ptrc be an executable program of c(/) and TRC{f), respec- 
tively. Let tc and tTRC be computational time of Pc and Ptrc, respectively, 
and Sc and strc be program size of c(/) and TRC{f), respectively. For 
given parameters (t, s), parameters tc,tTRC, Sc, and strc satisfy 

tTRC , Strc 
— — < t, < s. 

2. Pc and Ptrc output the same value for the same input. In other words. Pc 
and Ptrc are software performing in the same way. 

Although the definition given in jCM MSOTIj sets a condition on memory, de- 
scription on memory is omitted in the above definition. We do not use it in our 
analysis. 

2.2 Evaluation Using Parse Tree 

Computer uses a compiler for translating high-level language like FORTRAN, 
PASCAL and C into machine language which computer can directly execute. 
Conceptually, a compiler operates in the following phases one by one: lexical 
analysis, syntax analysis, semantic analysis, intermediate code generation, code 
optimization and code generation. The translation of a compiler is regarded as a 
sequential operation of reading, analyzing and understanding a source language. 
Especially, the compiler analyzes and understands a source language syntacti- 
cally in the syntax-analysis phase. Such an operation is exactly what a human 
performs in case of reading source code. Therefore, a parse tree obtained in the 
syntax-analysis phase is used in IciMMfjQQl for evaluating the difficulty of read- 
ing tamper-resistant software. In the parse tree, the root of a parse tree, each 
leaf and each interior node are labeled by a start symbol, a terminal symbol, 
and a nonterminal symbol, respectively. 
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The evaluation rules used in [GMMSnn] are as follows: 

Rule 1: Weigh edges of a parse tree by the following sub-rules. 

Rule 1.1: Set an initial weight into all edges of parse trees both for original 
source code c(/) and tamper-resistant code TRC{f). 

Rule 1.2: Only for tamper-resistant code TRC{f), change weight of edges 
of its parse tree depending on the algorithm used for generating TRC{f). 

Rule 2: Output the maximum weight, called points, among all sums of weight 
from the root to each leaf of a parse tree. 

The grades of a tamper-resistant code is defined as the difference between the 
points of the tamper-resistant code and the points of the original source code. In 
order to assess the grade of a conversion algorithm to generate tamper-resistant 
software, such grades is computed for each of multiple source codes. At last, the 
grades of a conversion algorithm is computed by processing a set of grades by 
some statistical method like arithmetic mean. 

From the experimental results shown in jGMMbl)n| modification of loop con- 
tributes to the obfuscation more than dummy code insertion and replacement 
of function do. Modification of loop increases the depth of nest so that a parse 
tree of a converted code becomes deeper. Hence modification of loop marks high 
grades. 

However, the method described above only evaluates the complexity origi- 
nated from the internal structure of a module, and fails to evaluate the complex- 
ity originated from relationship among modules. This is because functions are 
dealt with as a terminal symbol in the parse tree. Since the relationship among 
modules does contribute to the difficulty of reading software, the evaluation 
method should measure such complexity. 



3 Proposal of Obfuscation Methods 

Structured programming rules are famous programming rules allowing easy anal- 
ysis and maintenance of programs. Such property conversely implies that we can 
obtain a complicated program by destroying the structured programming rules. 
In this section we explain at first structured programming rules proposed by 
Dijkstra et. al. pnHZ2|. Then we show two obfuscation algorithms, decompo- 
sition algorithm and composition algorithm, which destroy the structured pro- 
gramming rules. 



3.1 Structured Programming Rules 

In order to allow a programmer to easily analyze and maintain programs, Di- 
jkstra et. al. have proposed in [DDH72j the following structured programming 
rules: 
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O : Function 

O— : The left function calls the right function 

Fig. 1. Change of the structure among functions 



1. A program is composed of three basic structures, concatenation, selection 
and repeat. Here concatenation means a sequence of statements. Selection 
means “if condition then statement 1 else statement 2” and “case-of.” 
Repeat means “while condition do statement” and “repeat statement until 
condition.” In other words, a program should be go-to less. 

2. A program is composed of modules which can be programmed independently 
and revised with no, or reasonably few, implications for the rest of the sys- 
tem. 

3. Modules are designed by the stepwise refinement. 

Program design is conducted in two steps. The first step is to divide function- 
alities of a program. Each corresponding piece of program is called module. A 
good module satisfies the second rule described above. There are several ways to 
create modules. A top-down design is one of them. In this design functionality 
of program is refined stepwise, which is described in the third rule. 

The second step is the design of the inside of modules. Structured program- 
ming rules are particularly useful in this regards. The first rule contributes to 
expressing flow of a program clearly, and the third rule contributes to giving 
a designer a method to think in a structured way and to reducing the risk of 
including errors in programs. 

When a large system is designed, one should follows the following rule. 

4. In a large system the division process is executed step by step, and a divided 
functionality is further divided afterwards. So a hierarchy of functionalities 
should be created. 

Essentially, the fourth rule can be achieved by the stepwise refinement of the 
third rule. 

3.2 Idea of the Proposed Obfuscation Method 

In the C language a program is a set of functions, and a module is represented 
by a function. Among the structured programming rules. 
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(a) the first rule and a part of the third rule are set as rules for dealing with one 
function, and 

(b) the second rule, a part of the third rule and the fourth rule are set as rules 
for dealing with relationship among functions. 

We design a program difficult to read by destroying the structured programming 
rules. Rules for the case (a) can be destroyed by frequently using go-to statement. 
Rules for the case (b) can be destroyed by making the structure among functions 
very complicated. Related to the latter method, we propose two obfuscation 
algorithms, decomposition algorithm and composition algorithm. 

Before explaining these algorithms, we give an example of changing the struc- 
ture among functions in Fig^ In this figure a directed graph represents rela- 
tionship among functions. A function is shown as a vertex and a functional call 
is shown as an edge from a calling function to a called function. The directed 
graph on the left is a graph of the original program. The directed graph in the 
middle is a graph of a program converted by the decomposition algorithm. The 
directed graph on the right is a graph of a program further converted by the 
composition algorithm. 

3.3 Obfuscation through Decomposition 




Fig. 2. Example of decomposition 



A program can be obfuscated by a decomposition algorithm. The decomposition 
algorithm replaces loops generated by for statement and while statement with 
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a cycle of functions, which is composed of if statement and multiple component 
functions. In this conversion, at first, data and variables used in a loop are defined 
externally. Then processes in a loop are divided into multiple parts, and each part 
is represented by a function. Finally, each of created functions is designed to call 
some of other functions in such a way that the loop can be replaced with created 
functions. When a condition of if statement is not satisfied, a functional call 
is stopped and the cycle ends. Obviously the decomposition algorithm deviates 
from the structured programming rules, especially the third condition, more 
precisely the fourth condition. The decomposition is expected to contribute to 
the obfuscation. An example of the decomposition is shown in Fig|3 

Conducting this conversion needs care for the value of variables. If the value 
of a variable in a function are changed outside the function, the value of the 
variable should be accordingly changed inside the function. In FigOa variable i 
of function 3 is added outside function 3, i.e. in function 2. So, * — 1 is used in 
function 3 instead of i. 

The increase of the number of functional calls, substitution and other oper- 
ations leads to speed down of the execution. Therefore, it is better to adopt a 
conversion which does not increase the number of these operations very much. 

3.4 Obfuscation through Composition 



r 

void function 1(){ 
process 1.1; 
process 1.2; 



r 

void function2(){ 
process2.1; 
process2.2; 




p f(fl,f2) 

void composedfunc(){ 
if{c){ 

process 1.1; 

}else{ 

process2.1; 

} 

if(!c){ 

process2.2; 

}else{ 

processl.2; 

) 



Fig. 3. Example of composition 



A program can be obfuscated by a composition algorithm. The composition al- 
gorithm combines multiple functions performing different processes into a single 
function. In this conversion, at first, more than two functions having the same 
type for parameters and also for returned value are randomly selected. Then 
selection statements like if statement and switch statement are used for exclu- 
sively executing one of functions. In this way, a generated function is composed 
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of selection statements and selected functions. Since the composition algorithm 
deviates from the structured programming rules, especially the second rule, it is 
expected to contribute to the obfuscation. 

An example of the composition is shown in Fig0 Two functions fi and /2 
are combined into one combined function /(/i,/ 2 ). In the combined function 
/(/i, / 2 ) processes of one out of /i and /2 are selected based on the if statement 
concerning a variable c. Naturally speaking we can further increase the difficulty 
by changing the condition on c into a more complicated one. 

3.5 Decreasing Slow Down 

The decomposition and composition algorithms sometimes introduce overhead 
and leads to slow down. This is because these algorithms increase the number of 
calling functions after the creation of cycles of functions, and also because the 
composition algorithm particularly increases the number of selection statements. 
In order to avoid unacceptable slow down in generated codes, we should adopt 
the following strategy for using these obfuscation algorithms. As explained above 
subsection, the decomposition and composition algorithms modify the syntac- 
tical structure of algorithms, and the difficulty of a code generated by these 
algorithms is not affected by the number of repetitions of a loop existing in the 
program. Since the overhead introduced by these algorithms is accumulated in 
every repetition of loop, we should apply the obfuscation algorithms to loops 
with less repetitions. 



4 New Evaluation Method 

As explained in subsection O The evaluation method proposed in |GlVllVlS(?n| 
does not take into account the complexity originated from relationship among 
modules. So it cannot properly measure the difficulty of programs created by 
the decomposition and composition algorithms described in subsections fOI and 
El Therefore, we propose a new evaluation method which can deal with such 
complexity. Although we can consider different algorithms which produce the 
same output but perform in a different way, we examine only the difficulty 
originated from difference of representation of the same algorithm as done in 

PHHSEini. 

Cycles of functions created by the conversion algorithms described in subsec- 
tions I3.:tl a,nd ft. 41 violate the fourth rule, which similarly means the third rule, of 
the structured programming rules. Just as a loop creates a nest in a parse tree 
and contributes to the obfuscation, we can regard cycles of functions as a kind 
of nest which is effective for the obfuscation. 

We define by equivalent cycles multiple cycles containing exactly the same 
functions in the same calling order among them. 
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W : Weights 



Fig. 4. Application of the new rule 



Additional rule: 

Step 1: Draw a directed graph on the structure among functions and find out 
all cycles containing more than two functions. If there are equivalent cycles, 
only one cycle is used out of all equivalent cycles. 

Step 2: In each of the found cycles, add one to the weights of all edges of a parse 
tree of each function contained in the cycle. 

A drawing method of the directed graph is explained in subsection 13.21 

In place of the cycle, we may be able to use two different values for the 
evaluation: the number of edges in the directed graph or the number of vertices 
in the directed graph. However, these values are easily increased just by adding 
functions. That means we can obtain a higher grades simply by refining functions 
in a stepwise way based on the structured programming rules. 

On the other hand, let an upper function be a function lying in the upper 
layer in the hierarchical structure of functions. For instance, when fi calls /2 and 
/2 calls /s, /i and /2 lies in upper layers of /s. We may be able to increase only 
the weights of edges of the upper function in place of all functions contained in a 
cycle as defined in our evaluation rule. However, functions other than the upper 
function are ignored in this evaluation. Since analysis of any function contained 
in the cycle needs the knowledge on all of other functions contained in the cycle, 
it is not appropriate to increase only the weights of edges of the upper function. 

The new evaluation rule is exemplified in Figfl In the figure the tree on the 
bottom is a parse tree of a program and the graph depicted above the tree is a 
directed graph of the same program. There are two cycles, one between /2 and 
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Table 1. The grades of tamper-resistant codes of program 1 (The points of the 
original source code is 25.) 





Alone 


Ti 


T 2 


Ts 


Ti 


Ts 


Ti 


26(1) 

(1.03,1.21) 


27(2) 

(1.00,1.48) 


28(3) 

(1.03,2.02) 


39(14) 

(1.03,1.33) 


42(17) 

(1.08,1.80) 


31(5) 

(1.05,1.71) 


T 2 


29(4) 

(1.02,1.91) 


30(5) 

(1.04,2.19) 


31(6) 

(1.04.2.75) 


43(18) 

(1.04,2.02) 


45(20) 

(1.14,2.49) 


35(10) 

(1.13,2.45) 


T 3 


38(13) 

(1.02,1.12) 


41(16) 

(1.03,1.66) 


43(18) 

(1.04,2.02) 


52(27) 

(1.02,1.26) 


44(19) 

(1.07,1.60) 


53(28) 

(1.04,1.66) 


Ti 


40(15) 

(1.08,1.59) 


42(17) 

(1.07,1.80) 


45(20) 

(1.14,2.49) 


57(32) 

(1.08,1.75) 


51(26) 

(2.14,2.13) 


56(31) 

(2.17.1.95) 


n 


30(5) 

(1.05,1.54) 


31(6) 

(1.03,1.83) 


35(10) 

(1.13,2.45) 


44(19) 

(1.09,1.69) 


60(35) 

(1.09,1.97) 


46(21) 

(1.11,1.81) 



/s and the other between /2 and / 4 . Therefore, the weights W of all edges of a 
parse tree of /2 becomes 3 and that of /a and /4 becomes 2. 

5 Experimental Results 

We have conducted experiments for confirming the validity of the proposed eval- 
uation. Conversion algorithms used are as follows. 

1. Dummy code insertion, Ti, 

2. Replacement of function, T 2 , 

3. Modification of loop, T 3 , 

4. Decomposition of functions, T 4 , 

5. Composition of functions, T 5 . 

Each of or two out of these algorithms have been applied to three programs, 
program 1, program 2, and program 3. Program 1 is a program for factoring. 
Program 2 is a program for computing the greatest common divisor. Program 3 
is a program for the shell sort. These programs are relatively small programs 
with about 30 lines. 

When we apply Ti at first and then Tj to a program pk a corresponding algo- 
rithm of this sequential operation is expressed as T)Ti, and a generated tamper- 
resistant code is expressed as T RCjT RCi{pk) ■ When the same conversion algo- 
rithm Ti is applied n times, we express T" and TRC^{pk) for a corresponding 
algorithm and a generated tamper-resistant code. 

Using a lexical analyzer lex and a syntax analyzer yacc, we have implemented 
an evaluation program. 

5.1 The Grades of Tamper-Resistant Software 

Table [D shows the grades of tamper-resistant code of program 1 generated by 
combinations of 5 conversion algorithms. An algorithm in the raw is applied at 
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first and then an algorithm in the column is applied. In this case the points of the 
original source code is 25 and the grades expressed between parentheses in the 
upper raw is derived by adding —25 to the points expressed without parentheses. 

The execution time and the program size of the original source code of pro- 
gram 1 are 0.1544 seconds and 182 bytes, respectively. The execution time is 
computed by arithmetic mean after 100 trials under Soralis 7, Sun Ultra 10, 
Ultra SPARC-IIi/333MHz. File size does not count return and the space. A 
pair of values shown in the lower raw represents parameters (t, s) mentioned 
in subsection o The maximum value (2.17, 2.75) of (t, s) is the underlined in 
Tabled That means the results for 25 tamper-resistant codes in Table dean be 
considered as the results for (2.17, 2.75)-tamper-resistant software. 

In Fig El we show the structure among functions of program 1. A directed 
graph in the middle represents a graph of tamper-resistant code converted by 
T 4 twice. A directed graph on the right represents a graph of tamper-resistant 
code generated by the experiment in the next subsection. It is converted by T 4 
twice and then by T 5 twice. 



c(Pi) 



TRC2(p,) 



TRC5TRC4(r) 



mam 

O 




O : Function 

• : Composed Function 

O— : The left function calls the right function 
W : Weights 




Fig. 5. Modifying the structure among functions into a complicated form 



Figure El shows the grades of conversion algorithms with respect to pro- 
gram 1, 2 and 3. This figure implies that conversion algorithms composed of 
modification of loop T 3 , decomposition of functions T 4 and composition of func- 
tions T 5 mark high grades. As mentioned in subsection 12 .'A the original eval- 
uation method in jUMMSOQj can evaluate only the difficulty originated from 
modification of loop. The result shown in Fig El indicates that the proposed im- 
provement is effective for evaluating the complexity originated from the structure 
among functions, either. 
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Fig. 6. The grades of tamper-resistant software with respect to programl,2,3 



5.2 Relationship between the Grades and the Reading Time 

Since the proposed evaluation method does not involve analysts, it is considered 
to be objective. However, we do not know how the computed grades relates to 
the actual reading time of analysts. In order to obtain an evidence of the valid- 
ity of our evaluation, we have conducted experiments for clarifying relationship 
between the grades obtained by the proposed evaluation and the actual reading 
time required by analysts. 

Let pk be a program k for k = {1,2,3}. For a program k, an original 
source code c{pk), tamper-resistant codes TRCf{pk) for i G {1,2, 3, 4} and 
TRC^TRCl(pk) are evaluated. In the evaluation, a subject is given a source 
code and data, and answers what is the output of the program. If the answer 
is wrong, the subject continues to read it until the subject reaches the right 
answer. The time until the subject answers correctly is counted. 

The number of subjects is 6. The following assignment of source codes follows 
the idea adopted in |MTT97| . One source code is selected from each of three 
categories, c{pk) and TRCi(pk), TRC^iPk) and TRC^iPk), and TRCl(pk) and 
T RC^T RCl(pk) ■ Note that there are 6 source codes in each of these categories. 
Selected 3 source codes are analyzed by a subject. With this assignment, subjects 
do not read multiple source codes generated by the same conversion algorithm. 
So they do not become familiar with the program. At the same time, source 
codes converted from the same original program pk are not assigned to the 
same subject. With this assignment, subjects do not become familiar with the 
program, either. 
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Av. GRADES 



Fig. 7. Relationship between the average grades and the average relative time 
for analysis 



The relationship between the average grades and the average relative time 
for the analysis is shown in FigQ Relative time means difference between the 
actual reading time of a tamper-resistant code and that of the original source 
code. We can observe that source codes possessing high grades require longer 
time for analysis. It is fair to say that the grades reflects the actual reading time 
of analysts. 

From FigQtiie grades of is the highest among all examined conversion 
algorithms. Its rough reason in case of program 1 would be as follows. The 
directed graph of a tamper-resistant code of program 1 generated by is 

shown in Fig0 A composition function belongs to two cycles of functions and 
the weights of edges of its parse tree is increased to 3. Such increase provides 
high grades. Moreover, the increase of the number of selection statements after 
the conversion by T 5 results in the increase of nests, which also provides high 
grades. We can observe the similar property in cases of program 2 and 3. 

From the results of experiments in the previous subsection and this sub- 
section, we can conclude our evaluation method is effective in evaluating the 
complexity originated from relationship among modules. 

6 Conclusions 

Based on the idea to make a program deviate from the structured programming 
rules, we have developed two obfuscation methods to make the module structure 
complicated. Two obfuscation algorithms are the decomposition algorithm and 
the composition algorithm. The decomposition algorithm replaces loops with a 
cycle of decomposed functions. The composition algorithm combines multiple 
functions performing different processes into a single function. 
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On the other hand, in order to overcome the incompleteness of the evaluation 
method proposed in |OMMSnn| . we have proposed a new objective and quantita- 
tive evaluation method which can measure the difficulty of programs caused by 
complicated structure among modules. Relationship among modules is shown by 
a directed graph, and we have estimated that cycles appearing in the graph con- 
tribute to the obfuscation, and used them for evaluation. Experimental results 
show that the difficulty originated from the structure among modules is evalu- 
ated in the proposed method. We have also examined the relationship between 
the grades and the actual reading time required by analysts. A corresponding 
result tells that the grades obtained by the proposed method well reflects the 
actual reading time. 
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Abstract. This paper describes the design of a model as well as an 
architecture to provide support for distributed advanced workflow trans- 
actions. We discuss the application of transaction concepts to activities 
that involve integrated execution of multiple tasks over different pro- 
cesses. This kind of applications are described as transactional workflows. 
The classical commit protocol, used in many commercial systems, is not 
suitable for use in multilevel secure distributed workflow database sys- 
tems that use a locking protocol for concurrency control. We choose to 
develop formal framework for secure distributed workflow architecture 
since we are actively involved in building a prototype of such a system. 
We strive to develop a practical logical characterization of multilevel se- 
cure (MLS) distributed workflow for the first time using the inherently 
difficult concept of non-monotonic reasoning. 



1 Introduction 

Many technical and nontechnical issues hinder enterprise-wide workflow man- 
agement. Because workflow types cannot always be fully predefined, they often 
need to be adjusted or extended during operation. Distributed workflow exe- 
cution across functional domains is necessary, but distribution transparency is 
currently impossible because, different types of Workflow-Management-Systems 
(WFMSs) implement different WFMS metamodels. 

One possible way to enable distributed workflow execution is to build a 
workflow-management infrastructure integrating different and heterogeneous 
workflows. Users would have access to total funcionality because they access the 
workflow-management underlying infrastructure, not individual WFMSs. The 
resulting architecture is general and can accommodate as many WFMSs as re- 
quired. 

Transaction concepts have begun to be applied to support applications or ac- 
tivities that involve multiple tasks of possibly different types - including, but not 
limited to transactions, and executed over different types of entities - including 

* Research supported by the UWS, Versant Technology Corporation and Intel 
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DBMSs. Generally we will refer to such applications as multi-system transactional 
workflows. 

The recent trend to distribute workflow executions requires an even more ad- 
vanced transaction support system that is able to handle distribition. Workflow 
applications are long-duration applications since the duration of a workflow can 
range from a few hours to a few months. 

To summarize, the new aspects of our approach to security in distributed 
workflow database management systems include the following researh contribu- 
tions. The novel approach to the development of a practical logical characteriza- 
tion of multilevel secure (MLS) distributed workflow for the first time using the 
inherently difficult concept of non-monotonic reasoning. Distinguishing feature 
of the workflow transaction support system proposed is the ability to manage the 
arbitrary distribution of business processes over multiple workflow management 
systems. We also derived general theorem which must be active when classifying 
every item of information. 



1.1 Outline of the Paper 

We have planned the presentation of the current research as follows. We first 
present a brief introduction to work on workflow transaction models and discuss 
extended - relaxed approach to handle workflow transactions in section 2. Section 
3 covers related aspects of workflow distribution and heterogeneity. A number of 
relaxed transaction models in workflow contexts that have been defined recently 
permitting a controlled relaxation of the transaction isolation and atomicity to 
better match the requirements of various workflow applications are discussed 
in section 4. In section 5 we develop a formal model and some axioms related 
to multilevel secure distributed workflow object-relational model are given from 
which theorems regarding secure workflow database models are derived. Section 
6 concludes the paper with a summary and a short discussion of future research. 



2 Related Work 

The traditional transactions are usually characterized by the atomicity, con- 
sistensy, isolation and durability requirements, called the ACID properties of 
transactions. Some known examples of extended transaction models include 
nested and multi-level transactions. Some examples of extended - relaxed trans- 
action models are reported in 

In the WIDE project P], a workflow is supported at two transaction levels: 
global and local. At the global level, the SAGA - based model offers relaxed 
atomicity through compensation and relaxed isolation by limiting the isolation 
to the SAGA steps. Some researchers in workflow systems have proposed the 
notion of transactional workflow | 0 . In transactional workflow environment, addi- 
tional correctness requirements can be specified on top of traditional workflow 
specifications. 
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The Workflow Management Coalition has specifled a standard interface to 
facilitate the interoperability between different WFMSs 0- However, they do 
not address transactional issues with the exception of writing an audit log. 

The transaction model used in the Exotica project 0 is based on the SAGA 
model, but relies on statically computed compensation patterns. As a result, its 
functionality is limited compared to the work presented in this research paper. 

Finally, most commercial products are designed around a centralized database. 
This database and the workflow engine attached to it — in most cases there is 
a single workflow engine are a single point of failure which quickly become a 
bottleneck and are not capable of providing a sufficient degree of fault tolerance. 

Very often, a WFMS processes data for which high standards must be set 
with respect to privacy and data security. Most of the workflow transaction 
management theory for multilevel secure database systems has been developed 
for workflow transactions that act within a single security class. In our research 
work, we look at workflow transactions that act across security classes, that 
is, the workflow transaction is a multilevel sequence of database commands, 
which more closely resemble user expectations. We propose a formal model and 
semantics for interpreting security issues in a workflow architecture which can 
incooperate a multilevel deductive database. 

3 Workflow Distribution and Heterogeneity 

Workflow distribution introduces additional level of requirements. Because dis- 
tributed workflow execution across heterogeneous WFMSs is currently not pos- 
sible in a transparent way, we must to consider the problem of workflow fun- 
cionality isolation. 

A workflow is distributed when at least two of its objects reside in two dif- 
ferent WFMS installations. This is relevant to workflow definitions as well as 
workflow instances. An often-cited situation is subworkflow distribution, where 
subworkflows are subject to excution on remote WFMSs. Some variants are pos- 
sible, such as executing a subworkflow synchronously or asynchronously to the 
invoking workfow. One of the typical variant involves executing some part of a 
workflow on one WFMS, and continuing on another (see Fig.l). 

If the associated WFMSs, do not know about each other, it’s indirect dis- 
tribution. In this case, the WFMSs do not implement distribution natively, and 
system designer must attach distribution functionality to the associated WFMSs. 
A recognised way is to establish communication buffers between the WFMSs, 
such as a database or persistent file stores. Fig. 2 shows an example workflow def- 
inition with one distribution task. The distribution task invokes an application 
for buffer communication. Typically, workflow types can be distributed, too. 

3.1 An Architecture for Multilevel Secure Workflow Interoperability 

Global information management strategies based on a sound distributed ar- 
chitecture are the foundation for effective distribution of complex applications 
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Fig. 1. Workflows Division across different WFMSs 



that are needed to support ever changing operational conditions across security 
boundaries. What we need is a new MLS distributed computing paradigm that 
can assist users at different locations and at different security levels to cooperate. 

We present the fully distributed architecture for implementing a Workflow 
Management System (WFMS) . An MLS workflow distributed database consists 
of a set Af of sites, where each site N G Af is an MLS database. The sites in 
the workflow system are interconnected via communication links over which they 
can communicate. The WFMS architecture operates on top of a Common Object 
Request Broker Architecture (CORBA) implementation. A CORBA’s Interface 
Definition Language (IDL) is used to provide a means of specifying workflows. 
Also we assume that communication links are secure — possibly using encryp- 
tion. This distributed workflow transaction processing model describes mainly 
those components necessary for the distribution of a transaction on different 
domains. 




Fig. 2. The Distribution Task Invokes an Application for Buffer Communication 



Domain is a unit of autonomy that owns a collection of flow procedures and 
their instances. In practical terms, a domain might define the scope of a depart- 
ment or division in an organization. Therefore, flows are grouped by domains, 
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and each domain also manages a set of flow procedures installed in the domain. 
A domain is not deflned or limited by networks, processors, or peripherals. The 
manager of resources can, however, be designed in any fashion, they are ex- 
clusively responsible for the ACID properties on their data records. Solely the 
interface to the components of the distributed workflow model must exist. 

If a transaction should be dstributed on several domains — a global transac- 
tion, in every domain there must exist the following components, (see Fig. 3). 




Fig. 3. Distributed Workflow Architecture 



— TM - Transaction — Manager. The transaction manager plays the role of the 
coordinator in the respective domain. If a transaction is initiated in this 
domain, the TM assigns a globally unique identifier for it. The TM monitors 
all actions from applications and resource managers in its domain. In every 
domain involved in the distributed workflow transaction environment there 
exists exactly one TM. 
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~ CRM - Communication — Resource — Manager. Multiple applications in the 
same domain talk with each other via the CRM. This module is used by 
applications but also other management components for inter-domain com- 
munication. CRM is the most important module with respect to the transac- 
tional support for distributed workflow executions. Our model specifies the 
T*RPC as a communication model, which supports a remote procedure call 
(RPC) in the transactional environment. 

— RM - Resource — Manager. An accountable performer of work. A resource can 
be a person, a computer process, or machine that plays a role in the workflow 
system. This module controls the access to one or more resources like files, 
printers or databases. The RM is responsible for the ACID properties on 
its data records. A resource has a name and various attributes defining its 
characteristics. Typical examples of these attributes are job code, skill set, 
organization unit, and availability. 

— AMS - Administration — Monitoring — Service. The monitoring manager is used 
to control the workflow execution. In our approach, there is no centralized 
scheduler. In the Ague, each Task Manager - designated as TSM, is equipped 
with a conditional fragment of code which determines if and when a given 
task is due to start execution. The scheduler communicates with task man- 
agers using CORBA’s asynchronous Interface Definition Language(IDL) in- 
terfaces. Task managers communicate with tasks using synchronous IDL 
interfaces as well. AMS module is also responsible for the coordination of 
the different sites in case of an abort that involves multiple sites. Individual 
task managers communicate to monitoring manager their internal states, as 
well as data object references - for possible recovery. 

The distributed architecture suits the inherent distributional character of 
workflow adequately in a natural way. This approach also eliminates the bottle- 
neck of task managers having to communicate with a remote centralized sched- 
uler during the execution of the workflow. This architecture also posseses high 
resiliency to failures — if any one node crashes, only a part of the workflow is 
affected. 

4 Relaxed Transaction Models in Workflow Contexts 

A number of relaxed transaction models have been defined recently that 
permit a controlled relaxation of the tranaction isolation and atomicity to better 
match the requirements of various workflow applications. Usually, we will refer 
to such applications as multi-system transactional workflow. This area has been 
also influenced by the concept of long running activities. 

As has been pointed out in 0, WFMSs lack the ability to ensure the cor- 
rectness and reliability of the workflow execution in the presence of concurrency 
and failures. 
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4.1 Transactional Workflows 

Support for workflow applications has been addressed by researchers focusing on 
workflow systems and transaction systems. Our approach falls in the category 
of transactional workflows 0 where additional correctness requirements can be 
specified on top of traditional workflows specifications. Flexible transactions 
work in the context of heterogeneous distributed multidatabase workflow envi- 
ronments |S|. In such workflow environments, each database acts independently 
from the others. Because a local database can unilaterally abort a transaction, it 
is not possible to enforce the commit semantics of global transactions. Therefore, 
flexible transaction were designed to address this problem. 

4.2 The Functionality of Flexible Transactions in Workflow Systems 

A flexible transaction is specified by providing: the precondition of the global 
transaction, a set of subtransactions, the externally visible states of each sub- 
transaction and the possible transitions among these externally visible states, 
preconditions and postconditions for the possible transitions of each subtrans- 
action, and the postcondition of the global transaction. 

To better support workflow operational environment, the flexible transac- 
tion model relaxed the isolation and atomicity properties. This approach is the 
direct result of our believe, that tying a workflow system to a particular trans- 
action model, will result in major restrictions that will limit its applicaility and 
usefulness as a workflow tool. 

4.3 A Formal Model of Flexible Transactions 

From a user’s point of view, a transaction is a sequence of actions performed on 
data items in a database. Flexible transaction model proposed for the distributed 
workflow environment will increase the failure resiliency of global transactions 
by allowing alternate subtransactions to be executed when a local database fails 
or a subtransaction aborts. The approach supports the concept of varied trans- 
actions allowing compensatable and noncompenstable subtransactions to coexist 
within a single global transaction. The concurrency control of global transac- 
tions require, that each global transaction has at most one subtransaction at 
each local site 0. Following |EIE|, the definition of flexible transactions takes 
the form of a high-level specification. The flexible transaction model supports 
flexible execution control flow by specifying two kinds of dependencies among 
the subtransactions of a global transaction: 

— Execution ordering dependencies between two subtransactions. 

— Alternative dependencies between two subsets of subtransactions. 

In what follows, we shall formally describe the flexible execution control in 
the flexible transaction model. 

Let fl = ,tn} be a collection of subtransactions and U{S1) the 

collection of all subsets of SI. Let ti,tj G S2 and Ti,Tj G II (f2). Two types of 
control flow relations are defined on the subsets of S2 and on II {SI), namely: 
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~ precedence ti -< tj if ti precedes tj {i ^ j), 

— preference Ti > Tj if Ti is preferred to Tj {i yf j). If Ti > Tj, we also declare 

that Tj is an alternative to Ti. 

Both of the above relations, precedence and preference are irreflexive and 
transitive or more formally, for each ti S 17, -< ti); and for each Ti G n{Sl), 

-^{Ti > Tj). If ti -< tj and tj -< tk, then ti -< t^; if Ti > Tj and Tj > T^, then 
Ti \> Tk. 

From he above definitions, we can see than, the precedence relations deter- 
mines the correct parallel and sequential execution ordering dependencies among 
the subtransactions, while the preference relation determines the priority depen- 
dencies among alternate sets of subtransactions for selecting in completing the 
execution of 17. 

Now a flexible transaction can be defined as follows: 

Definition 1. Flexible transaction A flexible transaction fi is a set of related 
subtransactions on which the precedence {<) and preference (>) relations are 
defined. 

The semantics of the precedence relation refers to the execution order of 
subtransactions. For example, t\ -< t2 may imply that t2 cannot start before 
ti finishes or that t2 cannot finish before t\ finishes. By the same token, the 
preference relation defines alternative choices and their priority. For example, 
{ti} > {tj,tk} may imply that tj and tk must abort when ti commits or that 
tj and tk should not be executed if ti commits. In this environment, {U} is of 
higher priority than {tj,tk} to be chosen for execution. 

We consider that a workflow database state is consistent if it preserves work- 
flow database integrity constraints. As it is the case for traditional transactions, 
the execution of a flexible transaction as a single unit should map one consis- 
tent multidatabase workflow state to another. We designate relation (Ti,^i) as 
a partial order of subtransactions. (Ti,^i) is a representative partial order, if the 
execution of subtransactions in Ti represents the execution of the entire flexi- 
ble transaction 17. From the above it is clear that, if {Ti, -<i) is a representative 
partial order, then there are no subsets Tn and Ta of Ti such that Tn > T^2. 
Because each global transaction has at most one subtransaction at a local site, 
each representative partial order of a flexible transaction must have at most one 
subtransaction at a local site. In our workflow execution environment, for flexi- 
ble transactions, the above definition of consistency requires that the execution 
of subtransactions in each representative partial order must map one consistent 
workflow multidatabase state to another. 



4.4 Scheduling of Flexible Transactions 

Since the flexible transaction model was proposed, much research has been de- 
voted to its application. The availability of visible prepare-to-commit states in 
local database systems is the basic assumption underlying this work. Also, time 
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used in conjunction with subtransaction and global transaction can be exploited 
in transaction scheduling. 

A schedulable subtransaction may be submitted for execution to the transac- 
tion module. The scheduler first has to check for satisfaction of the preconditions 
for execution of each subtransaction — it determines whether a subtransaction 
is schedulable. This entails the specification of the execution dependency among 
the subtransactions of a global transaction. Execution dependency is a re- 
lationship among subtransactions of a global transaction which determines the 
legal execution order of the subtransactions. To support the specification of the 
execution dependency, we define a transaction execution state as follows: 

Definition 2. The transaction execution state x for a global transaction T with 
m subtransactions, is an m — tuple {x\,X 2 , ■ ■ ■ ,Xm) where: 



' E 
N 



F 



if ti is currently being executed; 
if subtransaction ti has not been 
submitted for execution; 
if ti has successfully completed; 
if ti has failed or completed without 
achieving its objective; 



Under normal operational circumstnces transaction execution state is used to 
keep track of the execution of the workflow subtransactions. It is also used to 
determine if a global workflow transaction has achieved its objectives. When a 
subtransaction U complete the corresponding execution state, Xi is set to S if the 
subtransaction has achieved its objective, and to F, therwise. At a certain point 
of execution, the objectives of the global workflow transaction may be achieved. 
At that point, the global transaction is considered to be successfully completed 
and can be committed. 

A number of approaches can be used to assure global serializability which 
constitutes a satisfactory correctness criterion for concurrent execution of multi- 
database workflow transactions, if there is a lack of additional information about 
their semantics. The objective of concurrency control is to assure that the serial- 
ization order of multidatabase workflow transactions should be the same, at all 
sites they execute. It was shown in that the above condition is sufficient to 

assure global serializability. However, in our workflow operational environment 
this requirement can be relaxed to require that the relative serialization order of 
Workflow Transactions should be the same only at those nodes where they con- 
flict. This would lead to a weaker notion of serializability; called WT-serializability, 
which will be used as our correctness criterion for concurrent execution of Work- 
flow Transactions. We define conflict among workflow transactions if they 
execute at the same (local) site, and they are not commutative. The conflict re- 
lation is transitive, and therefore determines a set of equivalence classes, which 
can be named as conflict classes. In our workflow environment they are used to 
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determine the granularity of locking. In order to define workflow transaction se- 
rializ ability; WT-serializability, let us consider two workflow flexible transactions 
WTa and WT/s, and conflict classes, i and j. A global schedule is WT-serializable 
if for any subtransactions ST^ and ST^ G WTa, and SXf and ST^ G WT/s such 
that conflict (ST°‘, STf) and conflict (S'T“, ST/), ST°‘ -< STf => ST°‘ -< SXf, 
at all sites they conflict. In our workflow environment the ^ relationship is de- 
fined in terms of local serializability. WT-serializability establishes a partial order 
among all workflow flexible transactions. The submission order at each system, 
can be used to determine the execution and, consequently, the serialization order 
at each site. Therefore, the concurrency control mechanism of the local system 
will assure that the transactions that are submitted to the local system will be 
executed correctly with respect to the local concurrency control. As a result, 
the lock held by a subtransation can be released as soon as the subtransaction 
completes its submission phase. Therefore, we will have several transactions that 
are executing concurrently at each local site. 

5 A Formal Approach to Support Workflow Security 

An MLS distributed workflow management system should support functionality 
equivalent to a single-level workflow management system from the perspective 
of MLS distributed workflow users who design, implement and utilize multilevel 
secure distributed workflows. 

A number of models for secure workflow have been proposed. These mod- 
els differ in many respects. Despite heavy interest in building model of secure 
workflow management systems, there is no clear understanding regarding what 
a multilevel secure data model exactly is. 



5.1 A Logic Based Semantics for Multilevel Secure Workflow 

In a multilevel secure workflow database management system users cleared to 
different security levels access and share a database consisting of data items at 
different sensitivity levels. 

As a part of our research work, we introduce a belief-based semantics for 
multilevel secure workflow databases that supports the notion of declarative 
belief and belief reasoning in multilevel security scheme (MLS) in a meaningful 
way. We strive to develop a practical logical characterization of MLS workflow 
databses for the first time using the inherently difficult concept of non-monotonic 
reasoning. 

Recent research shows that users in the MLS workflow model have a ambigu- 
ous view and confusing belief of data ng. Multilevel security implements the 
policy of mandatory protection defined in [El and interpreted for computerized 
systems by Bell and LaPadula |E|. In this research paper we assume the 
representation and execution of MLS rules obey the Bell-LaPadula “no read up, 
no write down” principles. Many multilevel data models have been proposed 
in the literature, just to mention a few: SeaView also models proposed 
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by Sandhu-Jajodia p^l 1 9| : and by Smith-Winslett m and many others. Some 
of these models has its strong points (e.g., the belief-based semantics of the 
Smith-Winslett model, etc.). However, we argue that most of these proposals 
are not completely satisfactory, in particular, if the workflow database may be 
polyinstantiated. 



5.2 Multilevel Workflow Database 

The majority of proposals for multilevel workflow secure relational (MLS) data- 
bases have utilized various syntactic integrity properties to control problems 
that arise under very strict security, such as polyinstantiation and proliferation 
of tuples resulting from updates, with only some partial success. We propose 
modal logic as a natural vehicle for reasoning about security. Because much 
security is dependent on the concept of what a subject knows, logic allows us to 
reason about knowledge, one of the fundamental concept of computer security. 

We are interested in our research in workflow databases which enforce the 
multilevel security policy. Lets designate by Level a finite set of security lev- 
els. The set Level is assumed to be a lattice associated with a partial order 
relation denoted by < . This directly implies that, the least upper hound and 
greatest lower bound are determined. To describe that, we shall employ two func- 
tions lub and gib. Assuming that h and I 2 are two security levels, then lub (/i, I 2 ) 
and glb(li, I 2 ) are respectively the upper bound and greatest lower bound of l\ 
and l 2 - There are also two distinctive levels, the one which is lower than all 
other levels, designated by T and the other level which is higher than all other 
levels, designated by T. We view the global multilevel database as a set of par- 
titions, where each partition accomodates single-level database associated with 
one particular security level. We can formally represent this as follows. A multi- 
level database DB is represented by a set of databases {DBi, i G Level}. Every 
DBi is a partition containing a finite set of propositional formulae whose clas- 
sifications are equal to i and which are satisfiable but not necessarily complete. 
We assume that the integrity constraints are classified at level T because there 
is a single set of integrity constraints which is common to every single-level 
database DBi, * G Level. We wish to remove this restriction, therefore we have 
to consider that we partition the global set of integrity constraints into subsets 
li associated with each single-level database DBi. For example, let us assume 
that the following integrity constraint ii is stored at the unclassified level: 

— Vx, Vy, Emp{x) A Earn{x,y) ^ y < 80,000 

i.e. an employee must not earn more than $80, 000. 

However, let us assume that there are employees who can earn up to $99, 000 
but this data must be kept secret. Inductively, we can proclaim the following 
integrity constraint 12 at the secret level: 

— Vx, Vy, Emp{x) A Earn{x,y) ^ y < 99,000 



170 Vlad Ingar Wietrzyk, Makoto Takizawa, and Vijay Varadharajan 

However, two different sets of integrity constraints li and Ij may be con- 
flicting, i.e. I* n /* = 0, therefore we might suggest using so called the 
trusted approach. We need to observe that data stored in each single-level work- 
flow database generally correspond to a partial view of the universe by users at 
the corresponding security level. This is induced from our assumption that each 
single-level workflow database DBi only contains data classified at level 1. There- 
fore, in the trusted approach, the view at a given level I is obtained by merging 
the single-level workflow database at level I with all the lower single-level work- 
flow databases. For example, if a workflow database at level Ik-i is consistent 
with a workflow database at level Ik, then can completely flow to level Ik 

— as in the additive approach m- Lets describe, View-atJevelJ as the view of 
the multilevel workflow database for users at level 1. Therefore, we can use the 
trusted approach to derive the set of integrity constraints Integrity jatJeveldk 
which apply to the security level Ik'- 

— {Integrity_atJevelJi)* = /;* 

— {Integrity jatJevelJk)* = 

/;* > {Integrity.atdeveldk-iY 

To be realistic, we shall assume that the global workflow multilevel database 
may be polyinstantiated. We define this as follows: a workflow multilevel database 
DB is polyinstantiated if and anly if there are two security levels i and j such 
that DB* n DB* = 0. 

^ J 

Formally, a multilevel relation consists of two parts: scheme and instances, 
defined below. 

Definition 3. Relation Scheme Let Ai, . . . , be data attribute names over do- 
main Di, each Ci is a classification attribute for Ai and TC is the tuple-class 
attribute. The domain of Ci is specified by a range [Li, Hi] which defined a sub- 
lattice of access classes ranging from Li to Hi. Let the domain of TC be the 
range : i = 1, . . . , n}, lub{Hi : i = 1, . . . , n}] . 

Definition 4. Relation Instances Let R{Ai,Ci, A 2 ,C 2 , - . - , An,Cn,TC) be a 
multilevel relation scheme. This collection of state- dependent relation instances 
one for each access class c in the given lattice is designated by Re- Then each 
instance of a multilevel relation is a set of distinct and ordered tuples of the form 
(oi. Cl, 02 , C 2 , . . . , o„, c„, tc) where each Oi € Di or Oi = null, and t^ = lub{ci : 
i = 1, . . . ,n}. If Ui (null value) then Ci G [Li, Hi]. We also require that Ci 
be defined even if Ui is null - a classification attribute cannot be null or more 
formally, Ci for\/ai. 

Similarly to classical relations, multilevel workflow relations are required to 
satisfy several integrity properties. Since multilevel workflow relations have dif- 
ferent instances at different access classes, the definition of keys becomes unclear 
because a relation instance is now a collection of sets of tuples rather than a sin- 
gle set of tuples. 

^ Least upper bound 
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5.3 The Necessity for Semantics in Secure Workflow Databases 

The problem of polyinstantiation arises because of different views of a single 
entity in the real world at different security levels by two subjects. Also the 
above problem generally occurs through the avoidance of a covert channel. If 
for example a user inserts a relation instance — tuple with key K\, a user from 
a lower security level cannot be prevented from inserting a different tuple with 
key K\ later on, as rejecting the later insertion would open a covert channel. As 
a direct result of this operation, MLS workflow relations can contain multiple 
tuples with the same key value — polyinstantiated tuples. This problem has 
been indicated in some previous models by means of syntactic integrity proper- 
ties, which control the extent and nature of polyinstantiation — e.g., Jajodia and 
Sandhu [TT^ FTTlj and Jukic and Vrbsky H2|. 

Our contention is that both these models of asserting user beliefs about se- 
curity are incomplete and somewhat stringent. 

The Jukic- Vrbsky model is too restrictive and has only fixed interpretations. 
On the other hnd, Jajodia-Sandhu model is too basic where users are left to 
discover the truth. Users in these frameworks really do not have any reasoning 
capabilities as the interpretations are already given. 

The paucity of attempts aimed at developing a logical characterization for 
MLS models evidences that MLS workflow deductive databases are realy at 
their embryonic state. While there were proposals such as HH that addressed the 
general issue of authorization in a deductive framework, only Cuppens addressed 
the issue of querying MLS deductive databases m- 

We believe a middle ground is warranted where the user is given the choice 
to reason and theorize about the beliefs of others and decide how he wants 
to believe information visible to him. To support that approach, we assert that 
users should be given linguistic tools to view data as well as to construct meaning 
of the visible data. In such environment, the user may take a firm view of the 
data and insist that whatever is created at his security level only are correct and 
believable data. Thus lower level data are of no value. 



5.4 Inference Control Theorems of MLS Workflow Database 

We argue that any proposed model of MLS workflow database, under either 
discretionary or mandatory security, should incorporate at least the following 
elemants: 

— A formally defined model of the MLS including all the security propeties 
that databases under this model will possess. 

— Classification of any piece of information at any given classification level, 
should be enforced by powerful inference control rules 

— A formal definition — semantics for databases under the proposed model, 
which can represent the beliefs about the state of the world held by the users 
at a chosen security level 
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The axiomatics of the language £, which we consider is based on classical 
axiom schemas of first order logic with equality, augmented with appropriate ax- 
ioms of our theory related to the multilevel workflow object-relational database. 
The subset of our language C is universally consistent with any language based 
on first order logic with equality m- What follows is a set of some axioms, 
which are relevant to a set of integrity constraints to be enforced by the multi- 
level workflow object-relational database: 

— If a is an attribute of the object o then o is an object. 



VaVo,OA(o, a) ^ Object{o) 


(A) 


If m is a method of the class c then c is a class. 
VmVc, Metft.od(c, m) — > Classic) 


(B) 


If a is an attribute of the class c then c is a class. 
VaVc, CA{c, a) —f Class{c) 


(C) 


Any object attribute has a value. 
VqVo,OA(o, a) ^ 3y,Val{o,a,v) 


(V) 


The value of an object attribute is unique. 
'iaSo^v^v',yO'l{o, a, v) A Val(o, a, v') 

(v = v') 


(£) 


Any object is instance of at least one class. 
'do,Object{o) 3c, Lnstance{o,c) 


(^) 


If 0 is an instance of c then o is an object and c is a class. 
'd o'^ c, Instance{o, c) Object{o) 

A Class{c) 


(G) 



In this section we also present the general constraints that should be enforced 
when classifying the workflow database content. Those constraints must be sat- 
isfied when classifying Class — c, containing objects o and attributes a at level I 
and Classic) at level 1. The language that we propose to represent the multilevel 
workflow database is an extension of the above defined language combined with 
the acclaimed Datalog language which is also augmented with the predicates 
of the Logic Data Language - LDL, resulting in powerful combination of the 
expressive power of a high-level, logic-based language (such as Prolog) with the 
nonnavigational style of relational query language, where the system is expected 
to devise an efficient execution strategy for it. For each predicate P of an arbi- 
trary n used to represent the non-protected workflow database content, there is 
a predicate P of arity (n -I- 1) used to represent the MLS workflow database. 

It is generally acknowledged that when classifying any piece of information 
at a given level, the following inference control rule must be active: 

Definition 5. Rule - 1 Let xi, . . . ,x„ he tuples of variables consecutively com- 
patible with the arity of predicates Pi, . . . ,Pn- Let y he another tuple of variables 
compatible with the arity of Q. For simplicity we assume that each variable in 
tuple y appears in at least one of the tuples xi, . . . ,x„. therefore if: 



Vxi,... ,Vx„,Pi(xi) A, . . . ,AP„(x„) ^ Q{y) 
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is an axiom of the non-secure object oriented database, then by following the 
similar approach as in na/, we can derive the following theorem in relation to 
the multilevel workflow object oriented database: 

Vxi . . .Va;„V/i . . A . . . 

A In) A Q {y , 1) > I ^ luh{l\, I 2 , ■ • ■ , In) 

If the above rule 1 is not complied with, then a subject cleared at level 
lub(li, ... ,ln) can access every Pi{xi) and use the above defined axiom to derive 
Q{y). On the other hand if the classification of Q{y) is not lower or equal to 
lub(li,... ,ln), then an inference passage enabling prohibited information to 
be disclosed is opend. By combining the above derived rule 1 with some more 
axiomatic of our language, we can derive more useful theorems0. 

For example by combining rule - 1 with axiom (X>), we can derive the fol- 
lowing theorem: 

- VaVoV,V,V;,l/al'(o,a,z;,l) 

AOA'(o,a,/') ^ (/') (n) 

Which can be described as follows: the sensitivity of “u is a value of the 
attribute a in object o” dominates the sensitivity of “a is an attribute of object 
o”. 

This model includes the possibility to hide some parts of the multilevel work- 
flow database schema and to deal with rules in the database. Therefore, it may 
also be used as a formal semantics for multilevel workflow deductive databases. 

When classifying any data of information at a given sensitivity level [22|, the 
following control rule must be operational if one wants to protect the existence 
of secure information: 

Definition 6. Rule - 2 Let x\, . . . ,Xn and yi, . . . ,yp be tuples of variables con- 
secutively compatible with the arity of predicates P\, . . . ,Pn and Qi, . . . , Qp and 
let y be another tuple of variables. For simplicity we assume that each variable 
in tuple y appears in at least one of the tuples yi, ■ ■ ■ ,yp and each variable in 
tuples yi, ■ ■ ■ yp appears in at least one of the tuples X\, . . . x„, y. If: 

- Vxi . . .Vx„,Pi(xi) A ... A Pn{Xn) 3j/, 

Q{yi) A ... A Q{yp) (C) 

is an axiom of the non-protected workflow object-relational database, then, the 
following theorem can be derived related to the workflow multilevel object-rela- 
tional database: 

- Vxi . . .Vx„Vli . . .V/n,P((xi,li) 

A ... A Pf{xn,ln) dj/d/'i . ..3l'^,Q'{yi,l'f) 

A ... A Q'{yp, Ip) A lub{l[, ... ,1^) 

<lub{h,... ,ln) (M) 

^ Detailed demonstration on how similar theorems can be established can be found 

in PS] 
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In case, when Rule - 2 is not satisfied, then a subject cleared at level 
lub{li, . . . , In) can access every Pi{xi) and use the axiom {C) to derive the ex- 
istence of the secure data (facts) Q(j/i), . . . , Q{Vp) some of them being classified 
higher than lub{li , ... , Z„). As the result, effectively a signaling channel is cre- 
ated, which enables the existence of prohibited information within the workflow 
repository to be disclosed. 

6 Conclusion 

The impetus for our current research is the need to provide an adequate frame- 
work for belief reasoning about security in MLS distributed workflow manage- 
ment systems. The notions of correctness for transaction processing that are 
usually proposed for multiuser databases are not necessarily suitable when these 
databases are parts of a multilevel secure workflow systems. We believe, that 
the best approach will depend upon the characteristics of the multilevel secure 
workflow database and the applications. It is incumbent upon those who develop 
multilevel secure database systems to ensure that the user’s needs and expecta- 
tions are met to avoid misunderstandings about the system's functionality. 

The insight developed in the current research serves as the basis for a com- 
plete logical synthesis of SecureLog, the language which we are currently de- 
veloping as an orthogonal extension of the work contained in this paper in the 
direction of F-logic |E^ . 

We choose to develop formal framework for secure distributed workflow ar- 
chitecture since we are actively involved in building a prototype of such a system. 
We strive to develop a practical logical characterization of MLS distributed work- 
flow for the first time using the inherently difficult concept of non-monotonic rea- 
soning. We also derived general theorem which must be active when classifying 
every item of information. 
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Abstract. Deploying security services is hard. Security services are more 
readily integrated when they can be added at a single point in a network 
or at a single layer in the protocol stack. Most of today’s widely de- 
ployed security tools are deployed in this manner. Unfortunately this 
kind of deployment significantly limits the kinds of security policies that 
can be enforced. 

The end-goal of security is to control access to information. Many ap- 
plications require that access be controlled to pieces of information that 
are only delineated at the application layer. Enforcement of these poli- 
cies requires application cognizance of security, and today this means 
that applications and application protocols must be modified. 

This talk advocates extending authorization policy enforcement mecha- 
nisms with a means for integrating security services. A simple API for 
authorization will be described that allows application developers to fo- 
cus on only the aspect of security that matters to them - whether access 
should be granted. This allows security service policies (i.e. which se- 
curity mechanisms are to be used for authentication, payment, audit, 
etc.) to be enforced through the API without specific knowledge or un- 
derstanding by the application programmer. As new security services 
become available, this also allows the new services to be integrated by 
changing policy, rather than by rewriting the application. 

Dr. Neuman will additionally suggest that the policies themselves adapt 
to perceived network threat conditions, possibly affected by the receipt 
of audit data at other processes. The use of such policies can assist in de- 
tecting and responding to intrusion and misuse and lead to more efficient 
utilization of all security services. 
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Abstract. Trojan-horses are hard to detect since they pretend normal 
programs m. This paper proposes ‘SKETHIC (Secure Kernel Exten- 
sion against Trojan Horses with Information-carrying Codes)’, an anti- 
Trojan method based on resource access information attached to codes. 
This information serves as criteria for users’ decision on installation of 
programs and forms access control policies for the runtime monitoring 
system. Compared to the previous approaches, SKETHIC introduces a 
way of reducing the users’ decision-making overhead. To show clearly 
how it keeps a host secure from Trojans, we describe the mechanism in 
a formal way. 



1 Introduction 

A ‘Trojan horse’ program, or a ‘Trojan’ is a program that pretends to be a normal 
code but does something unwanted, like stealing passwords and destroying files 
El. One can have Trojan-horses usually through the Internet and E-mails, and 
due to hackers’ intrusion. It is easy for a dishonest developer to deceive users to 
accept a Trojan with a reasonable name and documents. 

This paper introduces a new anti- Trojan mechanism called ‘SKETHIC (Se- 
cure Kernel Extension against Trojan horses with Information-carrying Codes)’. 
To detect unknown Trojans, SKETHIC focuses on the gap between users’ expec- 
tations for a code and its actual behaviors. However, in contrast to existing anti- 
Trojan monitoring tools, SKETHIC allows users free from describing expected 
access rights necessary for an unacquainted code. Instead, they just examine the 
information attached to the code, called a resource access list, to decide whether 

* This work is supported by Brain Korea 21 project and by National Security Research 
Institute (NSRI). 
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to accept it or not. Execution is permitted only for the code looking honest. Dur- 
ing the execution of the code, the monitoring system is watching the process, 
to check if it follows its resource access list. When the process tries to access a 
resource beyond the list, appropriate responses will be given. 

The rest of the paper is organized as follows. In section 2, we review the 
previous anti-Trojan approaches, and we show an abstract view of SKETHIC in 
section 3. In section 4, the mechanism used in SKETHIC is described in a formal 
way. Also we show how it keeps a host secure from Trojan horses. In section 5, 
the proposed mechanism is compared with other approaches and discussed in 
detail. In section 6, we give a conclusion and future works. 



2 Previous Anti- Trojan Approaches 



Conventional anti-Trojan tools are classified into three categories - static code 
scanners, runtime monitoring systems and integrity checkers. 

In the static scanning approach, a code is deemed to be a Trojan if it has 
the features of a known Trojan horse. For example, some tools scan suspicious 
codes to find out any signature of the known Trojan horse |5I13| . With its tight 
dependence on information about the known Trojans, this approach does not 
seem to be promising in the current situation where lots of malicious codes 
appear. 

In runtime monitoring systems, which SKETHIC also follows, a code is exe- 
cuted in an environment with confined resources, called a ‘sandbox’ j1 12131711^ . 
Similarly to the mechanism for Java applet security El, a monitoring tool au- 
dits and controls the processes based on a policy. However, sandboxes defined 
by policy specification need to be fine-grained enough to cover the various kinds 
of Trojans with different properties p. This induces the access control models 
for the anti-Trojan policies to be based on concrete behaviors of the codes, for 
instance, the lists of allowed system calls m and state transition machines 
0E|. The main advantage of this approach is the ability to deal with unknown 
Trojans. However, because of the complexity and the number of codes on a host, 
it would be hard for users to develop suitable behavioral description especially 
for unacquainted codes p. 

Finally integrity checkers are helpful to detect the Trojan horses generated 
by modification of normal programs. They let users know whether an important 
code has been changed or not, by comparing the actual integrity data on the 
code with the original value kept in a database 



3 The Suggested Approach 

As mentioned in the previous section, SKETHIC adopts the runtime monitor- 
ing system approach, which enables to detect unknown Trojan. However, not to 
burden users with describing the access rights for unacquainted codes, code de- 
velopers are supposed to attach resource access information to their codes. This 
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requires cooperation of the three subjects - developers, users and the reference 
monitor. Things that each of them has to do in SKETHIC are listed as follows. 

— A Developer: He/she distributes his/her code together with the information 
on possible resource accesses by the code, called the ‘resource access list’. 
A program is defined as p = (m, c, 1), where m € M is the identifier of the 
program such as a name, c G C is the code, and I G L is the resource access 
list. 

— A User and a System Administrator: He/she decides on the acceptance of a 
given program (m, c, 1), by examining the resource access list 1. If I contains 
suspicious operations that do not meet user’s expectation for the code, the 
program is deemed a Trojan and simply discarded. Otherwise, the program 
is accepted to be executable. 

— The Monitoring System: During the execution of the code c, all the attempts 
to access a resource are monitored. If any attempt to access beyond the list 
I is detected, appropriate responses will be given such as terminating the 
process, removing the program from the system and notifying to users what 
is happened. Note that it is not the user, but the developer who described 
the list I the policy for monitoring the process behaviors. 

The proposed mechanism of SKETHIC is depicted in Figure Q The developer 
distributes a program accompanied with a resource access list. Based on this list, 
the user makes decision whether to install the program. During the execution, the 
monitoring system intercepts the system calls of the process asking for system 
resources. As long as the request follows the resource access list, the monitoring 
system considers it safe and enables the operation to proceed. 

One of the main advantages of the proposed system is the ability to detect 
unknown Trojans, without users’ burden of developing access policies. Let us 
consider a malicious code like navidad.exe 0. Users would not accept the code 
if it is delivered with the resource access list implying file destruction. With a 
legitimate but dishonest list, however, the users would be easily deceived. But at 
runtime, the monitoring system would detect the pretence during the execution. 



4 Formal Description 

Formal description is useful for viewing the advantages and the limitations of a 
mechanism In this section, we start by clarifying the terms ‘Trojans’ and 
‘safety from Trojans ’, and then describe the proposed mechanism. Finally, we 
show how SKETHIC keeps the host safe from Trojans. 



4.1 Definition of the Problem 

Let U and R denote the set of users and the set of the states of the system 
resource, respectively. O represents the set of operations, and Q means the set 
of ‘operation execution sequences’, or ‘execution sequences’, indicating possible 
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Fig. 1. Anti-Trojan Mechanism in SKETHIC 



sequences of operations performed while a program is running. Note that a pro- 
gram may have more than one execution sequence. For the programs without 
termination, the maximum length of the execution sequence is assumed to be 
infinite. 

Definition 1. An operation execution sequence, or execution sequence q = oi; 

. . . ;o„ G Q s.t. Oi € O and 0 < n < oo is defined as an ordered list of operations 
performed in sequence while a program is running. 

A code is defined the set of all the possible execution sequences of a program. 
For the endless programs, the maximum number of execution sequences is infinite 
as above. We use the term ‘code’ and ‘program’ mixed in Section 4.1 where the 
meanings of them make no big differences. 

Definition 2. A code c is {qi, q 2 , ■ ■ ■ , qn} S C such that qt G Q and 0 < n < oo. 

The function operations : C i-^- p{0) maps each code cto the set of all the 
operations possibly performed during the execution of c. That is, operations{c) = 
{o\3q G c s.t. o Gl q}, where ‘Gl’ is used as the list-inclusion symbol. A system 
s is defined as ({ci, . . . , c„}, r) G S such that ci, . . . , c„ G C and r G R, that is, 
the pair of a set of programs and a state of system resources. 

All operations in a code fall into two groups: the ones making effects on the 
system and the remains. What an ‘effect’ here means changing the system state 
or stealing information from the host. 

Definition 3. An effective operation e G E is the operation which changes the 
system state, or steals information from the host. 

In this paper, the only interesting kinds of operations are those that possibly 
influence security. We consider that effective operations and security holes as 
such operations, and call them ‘problematic’. 

Definition 4. A problematic operation is an effective operation or a security 
hole. 
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Further classification of operations is given by the following functions. Note 
that they take the user u as well as the code c as their inputs, since users’ 
expectation is crucial to the decision on Trojans. 

Definition 5. Function overt : U x C p{0) maps a user u and a code c to 
the set of operations that belong to operations{c) and u also expects as such. 



Definition 6. Function hcovert \ U x C ^ p(0) maps a user u and a code c 
to the set of problematic operations that belong to operations{c) whereas u does 
not expect them for c. (hcovert means a harmful covert operation) . 



Definition 7. Function hlcovert : U x C ^ p{0) maps a user u and a code c 
to the set of non-problematic operations that belong to operations{c) whereas u 
does not expect them for c. (hlcovert means a harmless covert operation) . 

hcovert and hlcovert are collectively called ^covert’, for the operations per- 
formed beyond m’s expectation. Note that overt is not divided into somethings 
like ‘/lowert’ and ^hlovert'. We assume that all the operations that the user ex- 
pects to be performed are harmless. Then a Trojan-horse is defined as the code 
c with harmful operations, hcovert{u, c). 

Definition 8. Given a user u, a Trojan-horse or Trojan is the code c such that 
hcovert{u, c) yf 0. 

A ‘safe’ system from Trojans is the one free from Trojans. In addition, one can 
maintain a system safe from Trojans by disallowing new installation of Trojans. 
We can formalize these as below. 

Definition 9. The system s = {cs, r) is safe from Trojans when for every user 
u, there is no Trojan t in cs. 



Theorem 1. For a non-Trojan c ^ cs and an initial system s = (cs,r) safe 
from Trojan, the system (cs U {c},r) is also safe from Trojans. 

Proof. It is clear by Definition 8 and Definition 9. □ 

4.2 Definition of SKETHIC 

Here, we give a formal description of the proposed anti-Trojan mechanism. A 
program in SKETHIC is defined as a triple of the identifier, the code and the 
resource access list as mentioned in the previous section. This also requires re- 
definition of the term ‘Trojan horse’. 



Definition 10. A program p is (m, c,l) G P = M x C x L, where M denotes 
the set of identifiers for programs. 
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Definition 11. A Trojan horse is a program p = {m,c,l) such that 

hcovert{u, c) ^ 0 for some user u. 

An operation is implied by a resource access list if the list indicates the 
possibility of the execution of the operation. We use the symbol ‘=J>’ for this 
implication. 

Definition 12. For I € L and o € O, a resource access list I implies o, or 
H => o' , if I indicates that the operation o might he executed at runtime. In 
addition, for I € L and os G p{0), ‘I ^ os’ means that I ^ o for every o G os. 
We assume that the operations irrelevant to resource access are implied by every 
resource occess list in L. 

It is desirable for a resource access list to imply all the operations in opera- 
tions{c). In addition, a good resource access list should not imply incorrect and 
harmful behaviors. This motivates following definition. 

Definition 13. For a code c G C, a correct resource access list I G L is defined 
as follows. 

— I operations{c) and 

— There is no o G O such that I o and o G hcovert{u, c) but o ^ 
operations(c) . 

We assume that every resource access list from a well-intended developer is 
always correct, whereas it does not hold for Trojans. 

The proposed mechanism is described by states and operations. A SKETHIC 
state ti is defined as {u, d, k, s, fmc, fmi, xi] . . .] x„) GT = Ux Dx Kx Sx Fmc^ 
Fmi X List{X). Here, u, d, k and s mean a user, a developer, a monitoring system, 
and a system, respectively, fmc G Fmc '. M ^ C and fmi G Fmi '. M ^ L are 
functions mapping a program identifier to a related code and a related resource 
access list, respectively. List{X) is the set of lists of SKETHIC operations in X. 

A SKETHIC operation xGX = {INSERT, DELETE, EXECUTE, Run} 
changes the SKETHIC state, or performs code operations in O. INSERT{u,p) 
means that a user u inserts a new program p into the system. 
DELETE{u, m) represents removing the program identified by m from the host. 
EXECUTE{u, m) denotes the execution of the code of m. Run{k, o) performs a 
code operation o in the kernel k. Currently, we assume that a user can run only 
the codes installed by him/herself, but believe that the description in this paper 
is easily extended to general cases. The meaning of the SKETHIC operations 
is described as rules explaining their ways of changing the SKETHIC states, as 
follows; 



{previous state) \> {next state) if {conditions) 

It reads that, under the given {conditions) , {previous state) is changed 
into {next state) after executing the head of the SKETHIC operation list in 
( previous state). 
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SKETHIC prohibits installation of a new program p = (m, c, /) if I indicates 
any execution of operations in hcovert{u,c) (see [INSERT III] below). Other- 
wise, p is installed with appropriated changes on cs, fmc and fmi of the state 
{u,d,k,{cs,r)Jmc,fmi,INSERT{u,p);Ops) (see [INSERT I] and [INSERT II] 
below). The symbol ^f[y/xy means substituting or expanding the function / 
with the value y for x. Opsis a list of SKETHIC operations like xi; . . . ; cc„. [IN- 
SERT II] is for the case that a pre-existing program already has the identifier 
m. 



[INSERT I] {u,d,k, {cs,r) , fmc, fmi, INSERT{u, {m,c,l));Ops) 

\>{u,d,k, {csU {c}, r),fmc[c/m],fmi[l/m],Ops) 

*/ ^(^ hcovert{u,c)) A ^(3c s.t. {m,c ) € fmc) 
[INSERT II] {u, d, k, s, fmc, fml, IN SERT{u, {m, c, /)); Ops) 

\>{u,d,k, {cs - {c } U {c},r), frnc[c/m], fmi[l/m],Ops) 

*/ ^(^ hcovert{u,c)) A 3c s.t. {m,c ) € fmc 
[INSERT III ] {u, d, k, s, fmc, fml, INSERT{u, (m, c, 1))- Ops) 

D>(w, d, k, S, fmc, fml, Ops) 

if I => hcovert{u, c) 

The execution of a program will be completed only when if it exists in the sys- 
tem and each operation making up the code is implied by its resource access list 
(see [EXECUTE I] below). Since the execution sequence to be performed varies 
according to the resource states of the system, we use the function selected{s, c) 
for the execution sequence of the code c under the system s. Run{k,o) denotes 
performing each code operation in O by the kernel k. The meaning of Run, 
the semantics of k, is beyond this paper. We only assume that Run does not 
change a SKETHIC state. EXECUTE{u,m) cannot be completed, either when 
the runtime monitoring system detects an operation not implied by the corre- 
sponding resource access list (see [EXECUTE II] below), or when it cannot find 
a program identified by m in the current system (see [EXECUTE HI] below) . 

[EXECUTE I] {u, d, k, s, fmc, fmi,EXECUTE{u, m); Ops) 

\>{u,d,k, s, fmc, fml, Run{k, Oi); Run{k, on); Ops) 

if fmcim) = c A selected{s, c) = (oi , , on) A 
fmi{m) Oi for all Oi s.t. 1 <i <n 
[EXECUTE II] {u, d, k, s, fmc, fmi,EXECUTE{u, m); Ops) 

\>{u,d,k, s, fmc, fml, Run{k,0i); Run{k,0i-i); 

DELET E{u,m); Ops) 
if fmc{m) = c A selected{s, c) = (oi , , o„) A 
3oi.l <i <n s.t. -^{fmi{m) ^ Oi)A 
I = min{j : 1 < j < n A ^{fmi{m) Oj)} 
[EXECUTE HI] {u, d, k, s, fmc, fmi, EXECUTE{u, m); Ops) 

\>{u,d,k, s, fmc, frni,DELETE{u,m);Ops) 

if ^(3c s.t. fmcim) = c) V ^(3/ s.t. fmiim) = 1) 



For the moment that a program execution is failed, SKETHIC needs the op- 
eration DELETE{u,m), which removes information on m from the SKETHIC 
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state (see [DELETE I] below). If there is no code identified by m, the 
DELETE{u,m) is simply ignored (see [DELETE II] below). 

[DELETE I] {u, d, k, {cs, r),fmc, fmi, DELETE{u, m); Ops) 

>(u,d, fc, (cs - {c},r),fmc - {{m,c)},fmi ~ {{m,l)},Ops) 
if 3c s.t. {m, c) G fmc A 31 s.t. {m, 1) G fmi 
[DELETE II] {u, d, k, s, fmc, fmi, DELETE(u, m); Ops) 

\>{u,d,k, S, fmc, fmi. Ops) 

if ^(3c s.t. {m,c) G fmc) V ^(3/ s.t. {m,l) G fmi) 

The sequence of execution of SKETHIC operations is denoted by the 

reflexive and transitive state-transition based on The inductive definition is 
provided as follows. 

Definition 14. For SKETHIC states t\ and t 2 , ‘tl \> \>t 2 ’ if any of followings 
is satisfied; 

(i) h = t2 

(a) tl > t2 

(Hi) tl \> \>t3 and t3 \> t 2 , for some t3 € T 

4.3 Safety 

In 4.1, a safe system from Trojans is defined as a Trojan-free one. According 
to this definition, a safe system needs to exclude Trojan horses before program 
installation, but it is too hard especially for unknown Trojans to check binary 
codes. Here, we give a less strict definition of safety from Trojans as follows; 

Definition 15. A state {u,d,k, (cs,r), fmc, fmi,Ops) is safe from Trojans 
when, if there exists a Trojan (m, t, 1) in cs according to a user u, none of 
o G hcovert{u, t) can he executed. 

Now, let us show how SKETHIC keeps the host safe from Trojans. Before 
proceeding further, we show two useful properties of SKETHIC, in the following 
lemmas. 

Lemma 1. 1 If a Trojan (m,t,l) exists in the SKETHIC state, then I does not 
imply any o G hcovert{u,t) . 

Proof. Suppose that there is a Trojan {m, t, 1) such that an operation 

0 G hcovert{u,t) is implied by 1. It must he installed by the operation 
‘INSERT{u, (m,t,l)) ’, since INSERT is the only operation inserting a pro- 
gram into a SKETHIC state. Due to the existence of o € hcovert{u, t) such that 

1 o, IN SERT{u,{m,t,l)) follows the rule [INSERT HI], which, however, re- 

sults in the failure of insertion. Thus, it is impossible for a SKETHIC state to 
have the Trojan (m,t,l) with an operation in hcovert{u,t) implied by 1. This 
completes the proof. □ 
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Lemma 2 . Let t\ = {u,d,k, (cs,r), fmc, fmi,Ops) and t2 = {u,d,k, {cs ,r ), 

f'mcJ'mi^Ops). For all m,ifr = r' , and 

then the execution of EXECUTE{u,m) at t2 is exactly the same as that at ti. 

Proof According to [EXECUTE I], [EXECUTE] II] and [EXECUTE III], among 
the elements composing t2, only m, k, /mc(^)) ^ make effects on the 

execution of EXECUTE{u,m) at t2- These elements are same in t\ and in t2, 
so is the execution of EXECUTE{u,m). □ 

Now we show that a safe system remains safe after insertion of a non-Trojan 
program. The proof is based on the fact that inserting a new program is almost 
independent of the existing programs. 

Lemma 3 . Suppose t\ = {u,d,k, (cs,r), fmc, fmhOps) is changed to t2 = 
{u,d,k, {cs ,r ) , fmc, fmii^P^ ) execution of INSERT{u, (mi,c,l)). 

Then for all m2 in M such that m2 mi, the execution of EXECUTE{u,m2) 
at t2 is just the same as that at ti. 

Proof. According to the semantic rules, IN SERT{u,{mi,c,l)) changes only 
cs, fmcicni) and /mi(wi) which results in that r = r ,/mc(w2) = fmA'^'^) 
fmi{m2) = fmA'^^A- Thus, by Lemma 2 , the proof is completed. □ 

Lemma 4 . (Safety after Insertion of a Non-Trojan) If the state t\ = {u, d, k, s, 
fmc, f ml, Ops) is safe from Trojans, then so is t2, the state right after a non- 
Trojan p = (m, c, 1 ) is inserted at t\. 

Proof. When t2 has no Trojans this lemma is clearly hold. Suppose that t2 has a 
Trojan pt = {mt, t. It). We know that pt p, since pt is a Trojan while p is not. 
That is, Pt is one of the programs that have already been in the system before the 
insertion of p. Since t\ is safe from Trojan, execution of o G hcovert{u,f) will 
fail at t\ by Definition 15 . We want to show that execution of o G hcovert{u,t) 
will also fail at ^2- There are two possible coses; 

(i) If ti has no program identified by m : This implies that the identifier of 
Pt is not m, that is, mt m. We know that, by Lemma 3 the execution 
of EXECUTE{u,mt) at t2 is equivalent to that at the safe state t\. This 
means that the execution of o G hcovert{u,f) will fail at ^2- 
(a) Ifti has a program identified by m : If mt = m, IN SERT{u,p) follows the 
rule ]INSERT II], which changes s = {cs,r) and fmc into {cs — {t} U {c},r) 
and fmc[c/mt], respectively. Thus, there remains no way to perform any 
execution sequences oft at t2, and moreover the operations in hcovert{u,t). 
If mt m, the proof is similar to that of above (i). 

By (i) and (ii), we have shown that execution of o G hcovert{u,f) will also fail 
at t2, if t2 has a Trojan pt = {mt,t,lt). By Definition 15 , this completes the 
proof. □ 
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Even after insertion of a Trojan program, a safe system remains safe. Before 
proving this, we show that if a Trojan is installed at a safe state, then 

none of the operations in hcovert{u, t) can be performed. 

Lemma 5 . Let t\ = {u,d,k,s, fmc, fmi,Ops) be a safe state and t2 = {u,d,k, 
s , /^;, Ops ) be the state right after a Trojan p = (m*, t, 1 ) is installed at t\. 

Then, EXECUTE{u,mt) at t2 cannot perform any operation o € hcovert{u,t). 

Proof. Clearly, Lemma 5 holds for the ease that selected{s , fmJd^t)) = (oi, , on) 
does not include any Oi G hcovert{u,t). Suppose that selected{s , fmci''^t)) = 
(oi, , o„) has Oi G hcovert{u, t). We know that ~^{l of) by the Lemma 1 , which 
leads EXECUTE{u,mf) at t2 to follow the rule [EXECUTE LL[. This implies 
that only o\ and o/_i are performed by Run, where L = min{j : 1 < J < 
n A ^{l ^ Oj)}. Because I <i, Oi cannot be performed at t2 and this completes 
the proof. □ 



Lemma 6 . (Safety after Lnsertion of a Trojan) Lf the state ti = {u, d, k, s, fmc, 
f ml, Ops) is safe from Trojans, then so is t2, the state right after a Trojan 
p = (m, c, /) is installed at t\. 

Proof. Lt is clearly hold ift2 has no Trojans. Let us suppose that t2 has a Trojan 
Pt = (mt,t,lt). If pt = p, o G hcovert{u,f) cannot be executed at t2, by Lemma 
5 . If Pt yf p, the proof is similar to that of Lemma j. □ 

Deletion of a program is almost independent of other programs. Based on this 
property, we show that a safe system remains safe after deletion of a program. 

Lemma 7 . Suppose that t\ = {u,d,k, (cs,r), fmc, fmi,Ops) is changed to t2 by 
the execution of DELETE{u,mi). Then, for all m2 in M such that m2 mi, 
the execution of EXECUTE{u,m2) at t2 is the same as that at t\. 

Proof. According to the semantic rules, DELETE{u,mi) changes only cs, 
/mc(wi) and /mi(wi). Thus, by Lemma 2 , the proof is done. □ 

Lemma 8 . (Safetyaf ter Deletion) If the state ti = {u, d, k, s, fmc, fmi. Ops) is 
safe from Trojans, then so is t2, the state right after a program p identified by 
m is deleted from t\ . 

Proof. It is clearly true if t2 has no Trojans. Suppose that t2 has a Trojan pt = 
{mt,t,lt). 

(i) If ti has no program identified by m : By the definition, DELETE{u,m) 
does not change the state. Thus, by Lemma 2 , the execution of o G 
hcovert{u,f) will fail at t2. 

(a) Ifti has a program identified by m : Since the information on m is deleted 
by DELETE{u,m), mt must not be m. We know that by Lemma 1 , the 
execution of o G hcovert{u,t) will fail at <2- 
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By (i) and (ii), we have shown for each case that if t 2 has a Trojan pt = 
{mt,t,lt), the execution of o G hcovert{u,t) will fail at t 2 - Thus, by Defini- 
tion 15, the proof is done. □ 

Now we are prepared to show that SKETHIC keeps the host safe from Tro- 
jans. 

Theorem 2. 2 (Safety after an Operation) A safe SKETHIC state remains 
safe from Trojans, after any SKETHIC operation execution. 

Proof. We prove this Theorem for each SKETHIC operation. Suppose t\ = 
{u,d,k, (cs,r), fmc, fmi,Ops) is a safe state from Trojans and t 2 is the state 
right after a SKETHIC operations performed at ti. By Lemma 6 and Lemma 
8, t 2 is safe from Trojans after INSERT or DELETE at t\. Since for any 
Trojan pt = (mt,t,lt) EXECUTE and Run do not change r, fmc or fmi, their 
execution at t 2 is not different from those at t\ either by Lemma 2. This implies 
that no operation o G hcovert{u,t) can be executed after EXECUTE and after 
Run, which completes the proof by Definition 15. □ 

Theorem 3. (Safety Maintained by SKETHIC) If an initial state is safe from 
Trojans, SKETHIC maintains it always safe from Trojans. 

Proof. The proof is easily done by Theorem 2 and induction on the number of 
’s involved from the initial state to a given state. □ 

5 Comparisons and Discussions 

It is a well-known approach to attach security information to codes. Developers’ 
signatures and integrity values are commonly delivered along with mobile codes 
m). With a proof-carrying code (PCC) 0 , correctness of accompanied proof is 
checked mechanically before running the codes 0. In contrast, SKETHIC en- 
sures the correctness of a resource access list by the runtime monitoring system. 

Note that SKETHIC also examines a resource access list before execution, but 
for the agreement with the user’s expectation for the code, not for its correctness. 
This concept is similar to the approaches in some mobile agent systems, which 
check the accompanied data before the execution of the codes to see if expected 
resource consumption agrees with the capability of the local host mg. 

SKETHIC transfers the burden of generating policies from users to program 
developers. We believe that developers’ overhead will be relatively small, since 
they know their own programs better than the users. In addition, automatic 
extraction of information from source codes is easier than that from binary 
codes delivered to hosts 1 5] . 

It is possible that a well-intended code is mistaken for a Trojan by SKETHIC 
with an incorrect resource access list. We expect that it can be avoided by 
support of intelligent tools helping the extraction of resource access information 
from codes. We also hope that the proposed mechanism encourages developers to 
use minimal system resources, making it easier to discriminate between honest 
programs and Trojans. 
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6 Summary and Future Works 

We proposed SKETHIC (Secure Kernel Extension against Trojan Horses with 
Information-carrying Codes), an anti-Trojan mechanism based on the data called 
the ‘resource access list’, attached to the codes. Before the execution the user 
checks the resource access list to ensure that a code is not a Trojan. During 
the execution the monitoring system at runtime checks the correctness of the 
attached data. 

One of the main advantages of SKETHIC is to reduce the users’ burden of 
developing access policies for codes. This paper also formalizes the SKETHIC 
mechanism and shows how SKETHIC keeps a system safe from Trojans. 

Currently, we are developing the prototype on Windows 2000, and studying 
on resource access list models. Especially, the proposed mechanism can employ 
rather complex models of access policies without difficulties, since access policies 
are not specified by users but by program developers who we believe have more 
intelligence. We are also interested in developing tools supporting automatic 
extraction of information from codes or helping users decide on acceptance of 
codes. 
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Abstract. With the rapid growth of broadband infrastructure, it is thought that 
the bottleneck for video-on-demand service through Internet is being cleared. 
However, digital video content protection and consumers privacy protection 
emerge as new major obstacles. In this paper we propose an online video 
distribution system with strong content security and privacy protection. We 
mainly focus on the study of security and privacy problems related to the 
system. Besides presenting the new system, we intensively discuss some 
relevant cryptographic issues, such as content protection, private information 
retrieval, super-speed encryption/decryption for video, and PKC with fast 
decryption etc. The paper can be viewed as one that proposes practical solutions 
to real life problems, as well as one that presents applied cryptography research. 



1 Introduction 

Television has been elected as one of the greatest inventions in the last century. Public 
demand on video-based communication, entertainment and education has been the 
driving force for many technologies, such as broadband network and video 
compression. Nowadays, people are no longer satisfied with the fixed TV programs. 
They want to watch what they love to watch, and pay for that, i.e. personalized video 
service like the services provided in restaurants. To meet this need, Video-on-Demand 
(VoD) has been studied for many years. [Minoli] is a good reference for the academic 
and industrial effort for VoD technologies. Researchers have been focusing on how to 
stream the video to an online Internet consumer without dropping of critical frames. 
SMIL is ironed out to serve as a standard for synchronized integration of multimedia 
streams by W3C. It is claimed in [Jai99] that industries have even moved far ahead of 
academies in this field to step into the new frontier. 

With the rapid growth of broadband infrastructure, it is thought that the bottleneck 
for video-on-demand service through Internet is cleared. Digital content security 
emerges as a new challenge. Up to now, online video consumers (OVCs) have very 
limited choice of online video contents, as video content providers (VCPs) hesitate to 
put their contents in digital format in the network. VCPs are not comfortable with the 
level of content security provided by the current technology [GMDS98]. On the other 
hand, online consumers also concern about their privacy being disclosed. 

In this paper, we propose an online video distribution scheme that protects VCPS 
video contents and the consumers privacy simultaneously. The content protection in 
V. Varadharajan and Y. Mu (Eds.): ACISP 2001, LNCS 2119, pp. 190-205, 2001. 
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our scheme is based on the public key cryptography implemented in a tamper- 
resistant hardware, which is not a new idea. But we focus more on security discussion 
and analysis. We also study some cryptographic issues arising from the scheme. The 
privacy protection is based on a simple PIR(private information retrieval) scheme. 

The organization of the paper is as follows. In Section 2 we describe our online 
video distribution system. In Section 3 we discuss the advantages of using public key 
cryptography in tamper -resistant hardware for content protection. In Section 4 we 
study the privacy protection issue in our online video system. The system features are 
displayed in Section 5. In Section 6, we propose a general method to construct the 
symmetric key ciphers that have super-speed for video encryption. In Section 7 we 
propose a public key cryptosystem with fast decryption, which is motivated by 
implementing decryption in a hardware device with cheap processors. We present the 
design and analysis of two concrete super-high speed ciphers for video encryption in 
the Appendix, which can be excluded from the paper. 



2 System Description 

2.1 Outline of the System 

In our online video system there are four parties. 

VCP— Video Content Provider, 

OVW— Online Video Warehouse, 

OVC— Online Video Consumer, 

THM— Tamper-resistant Hardware Manufacture 
An OVW is an online storage service provider that may support several VCPs. A 
VCP encrypts its different videos by different secret keys and puts the encrypted 
videos at an OVW. An OVC can freely download the encrypted videos in his/her 
favor. The OVC can only watch the video after he/she pays the VCP for the secret key 
to decrypt the video. 

However, the secret key should not be given to OVC plainly for content protection. 
That key should be given to OVC in the encrypted form and be decrypted in a tamper- 
resistant hardware device (produce by THM) as described in the following. 

2.2 System Description in Detail 

The system has three encryption algorithms: 

1 . Symmetric Key Cryptosystem I (SKC I)— SKC I is a fast cipher as studied in 

Section 6. 

2. Symmetric Key Cryptosystem II (SKC II)— SKC II is a commutative cipher as 

studied in Section 4 and Appendix A. 

3. Public Key Cryptosystem (PKC)— PKC can be any public key cryptosystem. A 

PKC with fast decryption as presented in Section 7 may be favored for this 
application. 
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System Description: 

1. A VCP has n videos V\, V2, □ ,V„. The VCP chooses n secret keys K], K2, ,K„ 

and encrypts Fi, V2, □ ,V„ with SKC I, respectively. Denote the n ciphertexts 
byK,(V0,K2(V2),D,K„(V„). 

2. The VCP also chooses a key S and encrypts K^, K2, ,K„ by S with SKC II. 

Denote the ciphertexts by S(K]), S(K2), □ , S(K„). 

3. Suppose an OVC wants to watch F. He downloads 5(K,)|| K,(F) and chooses a 

key R for SKC II and encrypts 5(K,). Denote the ciphertext by W^R{S{Kj)). 

4. Decryption of If by key S is denoted by S'\W). 

5. PKj/SKj is a pair of public/private key generated by THM. SKj is embedded into 

the y-th tamper-resistant hardware. PKj is certified by THM and is given 
together with the certificate to the OVC who buys the hardware device. 

6. When a VCP receives a PKj, the VCP should check whether the PKj is legal. 




To TVT 
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3 Content Protection 

3.1 A Brief Review of Content Protection Technologies 

Content protection is the key security issue for e-commerce of digital goods, no 
matter the transacted digital object is a picture, a video, an audio or a piece of news. It 
is commonly recognized that a digital content provider is hard to survive without 
certain means of protection. In online distribution of video, the content protection is 
the issue about how to prevent the illegal users (who do not pay) from watching a 
video. Content protection for digital goods is a very difficult problem from the 
technology angle. So far no fully satisfactory solution exists. Available technologies 
for content protection include follows. 

Watermarking Technology 

Watermarking technology has been considered to be a key technology for 
multimedia content protection. There have been so many research papers addressing 
watermarking technology in the past several years. Readers are referred to [CL97, 
CMY96, ZK95] and the references therein. 

There are two sorts of watermarking. The first one is for ownership. The second 
one is for tracing illegal users. The technique of the second sort is also called 
fingerprinting in some references. The first sort of watermarking is to embed an 
identical watermark into every copy of the digital object. Hence, it cannot be used to 
distinguish who is the user who has distributed the illegal copy. The technology is to 
deter the large-scale resale. There are a lot of research publications in this area. 

The second sort is to embed different watermarks into different copies. It can be 
used to trace the illegal users. But this sort of watermarking has certain difficulties. 
One is how to efficiently resist colluding attacks [BS95]. Another one is, as pointed 
out in [PS96], that there is actually no lawful basis for the content provider to sue the 
illegal user. This is because the provider himself possesses the watermarked digital 
object. Hence there is no way to distinguish who actually disclosed the copy. 
Asymmetric fingerprinting was proposed to solve this problem, see [PS99] and the 
references therein. However, it seems that the technique is not ready for practical use 
due to its complicated and interactive implementation. 

Tamper-Resistant Software 

This technology is to prevent the decryption party from accessing the decryption 
key in software. Combining with other techniques, the technology can be used to 
prevent making illegal copies. This is advantageous over watermarking technology at 
the point that watermarking is used to catch illegal copy while the tamper -resistant 
technology is used to prevent illegal copy. Tamper-resistant software, in principle, is 
to hide some secret information in a software program. It is based on anti-reverse- 
engineering. The current status of the technology is more like know-how and the 
technology is more studied within industry community than within academic 
community. There are quite a number of patents but rare publications in this area. It 
seems that there is no solid theoretical foundation for this technology. 
Tamper-Resistant Hardware 

Tamper-resistant hardware has been studied for many years. This technology has 
already been used in many realistic applications such as cable TV and DVD etc. In 
this paper, we take tamper-resistant hardware as our basis for content protection. The 
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tamper-resistant hardware in our system contains a private key that is used to decrypt 
the ciphertext of the secret key of a video. 

There have been various attacks against tamper -resistant hardware devices, such 
as fault-differential attack [BDL97, JQBD97], timing attack, differential power attack 
[Kocher], and probing attack [AK97, HPS99], etc. Researchers find that any 
information leakage in the procedure of the computation may lead to the secret key 
compromised. On the other hand, various counter measures have been proposed. 
Counter measures against fault-differential attack can be found in [BDL97]. Methods 
to resist differential power attack are presented in [Cor99, Kocher]. [WBYDOO] 
presents some counter measures against probing attack. But in general, the attitude 
toward tamper-resistant hardware from academic is negative. This is because the fact 
that it might be hard to absolutely prevent the leakage of side-channel information 
[CKNOl], which would cause key-compromising. 

Industry, whereas, has the different view on tamper-resistant devices, which have 
been running well in the reality. One example is cable TV box, which is insecure from 
whatever angle in researchers Deyes. But it does make good business. There is a big 
gap between academic and industry in the recognition of security. The former tends to 
consider absolute securityDbased on complexity assumptions while the latter usually 
concerns more about Relative securityDwith respect to the costs. We do not believe 
that tamper-resistant devices could be relied upon as the security basis for military or 
government secrecy. But we think it should be qualified for small-valued business. In 
addition, it is commonly recognized that tamper-resistant hardware is much more 
reliable than tamper-resistant software. 

3.2 The Content Protection Based on Pnblic Key Cryptosystem 

Why Use Pnhlic Key Cryptosystem The most important and essential discipline 
for a content protection system is that component-compromising must not cause the 
whole system crashing. If we only use symmetric key cryptosystem in the tamper- 
resistant hardware devices, we have two choices. First, we can install a master secret 
key into every tamper-resistant hardware device. This choice is apparently not secure 
since breaking one device may cause the master key compromised, and therefore, the 
whole system is broken. The second choice is to install different secret keys into 
different devices. In this case all the VCPs must know all the secret keys (otherwise 
they cannot do encryption). This is also dangerous since once a VCP is compromised, 
all other content providers are exposed beyond any protection. The whole system 
crashes. Using public key cryptosystem perfectly solves above problems. The system 
proposed in this paper meets the discipline that component-compromising does not 
cause the whole system crashing. 

Protection of Private Keys The private key installed in each tamper-resistant 
hardware device is very important. The manufacturer of the hardware (THM) must be 
very cautious on these private keys. A suggestion is to destroy the keys once they are 
installed into the hardware devices. The manufacturer is a trusted party like the CA in 
PKI. Actually, the manufacturer is required to maintain a revocation list as done by a 
CA. Once a device is found to be broken, its serial number should be put into the list 
to prevent its use any more. 

Tamper-Resistant Technology In this paper we do not discuss how to build up 
tamper-resistant hardware devices. There has been research on this technique for 
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many years. What we want to emphasize here is that in our system the tamper- 
resistant technique can be focused on the private key. It is the critical clue. Once the 
private key is destroyed, the device is completely useless. So the guideline to build 
tamper-resistant property should be that once the device is tampered or opened, the 
private key is automatically erased or modified. Protection techniques may include, 
for example, hiding a photoelectric cell inside the device, which is touched off (once 
the device is opened) to erase/change the private key. Another technique is a kind of 
careful wiring from inside so that the device is hard to be opened without breaking off 
the wire, which would also cause the private key erased. Of course, there must be 
multiple levels of protection. 

Business Consideration In the proposed system, every OVC must buy a hardware 
device. This is the disadvantage of hardware solutions compared with software 
solutions. But from another angle, hardware solutions are not excluded here since a 
video has a comparatively high value. A DVD movie usually costs about 20 US 
dollars, while online video may cost much less as long as the content is perfectly 
protected. If an online video costs only one dollar for example, the attraction for a 
customer to buy a hardware device is considerably large. More specifically, such a 
tamper-resistant hardware device is not expensive since the processors to conduct 
decryption and D to A converting are not very expensive. Another choice is to build 
such hardware device into home appliances like VCD/DVD players. Then there is 
only a small additional cost while the player has a new function used together with the 
home PC. That is very alluring. 



4 Privacy Protection 

A VCP may provide a large number of videos with various categories. This is also the 
attractive point of online video. Therefore, privacy is another concerned issue. A 
customer may not like to let others know what video he/she is watching or is in favor. 
Such privacy should be guaranteed as long as the online video is a charged service. 
From another viewpoint, if two VCPs are providing same video at same price, the one 
who guarantees privacy is more competitive. To retrieve a message from a database 
without revealing which message is actually being retrieved has been theoretically 
studied under the term PIR (private information retrieval) [CGKS95, CG97, K097, 
CMS99]. However, the computational costs of these solutions are very large due to 
their bit-by-bit processing manner. All those schemes need at least computation of 
0(N) operations for retrieving only one bit, where N is the number of bits of the 
whole database. All the previous PIR schemes are aiming at reducing communication 
complexity. The scheme of [CMS99] can even achieve a communication complexity 
of poly(logN). However, those schemes can hardly be accepted for practical use. In 
this section we propose a simple and efficient scheme for privacy protection in the 
online video system. The scheme is not a PIR scheme from a strict viewpoint. We 
describe the scheme in the way as describing a PIR scheme for simplicity. 
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A Simple PIR Scheme 

In Appendix A, we will present our scheme in detail and give cryptanalysis. Here 
only its principle is given. Let £■ be a symmetric-key encryption algorithm that has 
commutative property, i.e., for any pair of keys Ki, K2 and for any message m, we 
have 

E{Ku E{K2, m))=E{K2, E{K,, m)) 

Denote the decryption algorithm of E by D. Suppose that the Database has n files 
denoted by M\, M2, □ , M„ (possibly with different lengths) and the User wants M^. 
By the following scheme the User can get without Database knowing what s is. 

Database User 

Randomly choose n keys Ki,U ,K^ 
for a symmetric encryption, say , DBS. 

Encrypt M, by K, Cr^ES(K„ M,) 

Randomly choose a key r for E, 

Encrypt Kihy r, hi^E{r, K,) 



h,\\Cu h 2 \\C 2 , □ , h„\\Cn ^ 





W 


r' 

Randomly choose key w for E. 
Compute W^E(w, 


Compute U^D(r, W) '' 


u 


► 



K=D(w, U) 
M=DES '(/:„ Q 



The Database has no way to know which message the User can get, no matter how 
maliciously Database performs. Meanwhile the User can only get one message by 
implementing the scheme once. In [BDFOO], a concrete E and the security analysis of 
the protocol were presented. 

It is easy to see that the above PIR scheme processes messages file-by-file. It does 
not get communication complexity reduced if it is regarded as a PIR scheme. But it 
fits our online video scheme very well because of the following reasons. 

The customers downloading can be anonymous. When the customer downloads 
the encrypted video from OVW, he need not show his personal information such as 
membership or credit card number etc. If the download is through some specific 
proxy, the customer’s IP address can be hidden. Or if the download is through dial-up, 
the IP address changes every time. Some companies, such as 
www.zeroknowledge.com and www.anonymizer.com, provide service for anonymous 
download. On the other hand, the communication between the customer and the VCP 
cannot be anonymous since the VCP must know whom he is dealing with. When the 
VCP decrypts the secret key for the customer, the service is a charged service. Either 
the membership authentication or a payment is needed, which would disclose certain 
information about the customer. 
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5 System Features and Discussions 

The system proposed in this paper has many good features. 

1. The system is flexible. There may be multiple VCPs and OVWs. An OVW can 

support multiple VCPs. Each OVC can enjoy services from multiple VCPs 
with only one hardware device. 

2. No VCP holds any secret of any OVC (the secret of his hardware device); 

therefore, if a VCP is compromised or becomes malicious, the other VCPs are 
not effected. 

3. The OVCs’ privacy is guaranteed no matter how malicious a VCP performs. At 

most a VCP can let an OVC receive no service, but can never get to know 
which video the OVC is trying to watch. On the other hand, VCP can still get 
statistical data on frequency of videos being downloaded from OVW (this 
seems necessary for business). 

4. Low requirement on download speed. Unlike streaming VoD, where the network 

speed must be faster than the speed of video playing, in this system an OVC 
can download the encrypted video at the speed slower than that of video 
playing. The download can also be in off-peak hours. 

5. Cheap computations. The system exploits some cryptosystems. But the crypto 

operations required in the system are light. 

Compared with DVD The DVD encryption scheme is not robust: all the videos are 
encrypted by one secret key (for each zone) and the secret key is stored in all DVD 
players. Disclosing the secret key causes the whole scheme cracked. Our video 
distribution scheme is designed to be robust. In our scheme, the private keys in 
different hardware devices are independent from each other. In case one hardware 
player is cracked, the other hardware devices are not affected. Even if the hacker 
makes the cracked key public, the damage would be limited: the VCPs just refuse to 
provide service to that device any more. 

Payment Choice and Privacy There are two ways of payment for online video. The 
first one is like membership. An OVC can subscribe to a VCP and the VCP will 
always serve the OVC (there may be a limit on number of videos for the OVC per 
month). For this payment manner, the OVC’s privacy is perfectly protected. The 
second payment way is pay-per-video. For this payment manner, the privacy can only 
be guaranteed among all the videos with the same price. In this case the system needs 
a slight modification. The master key S in Section 2.2 should be replaced with a set of 
master keys, each key for one group of videos with same price. 

Flexible Distrihution Means In reality there may be more means to distribute the 
encrypted videos. The VCPs encourage the distribution of the encrypted videos 
among video fans. Another possibility is by CD. The CD with huge storage capability 
is going to emerge in a few years. We believe that the storage media is much cheaper 
than the stored content. A CD containing many encrypted movies can be very cheap 
in the future. 
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6 Fast Symmetric Key Encryption Scheme 

It is well known that symmetric key encryption schemes are much faster than PKC 
schemes. For example, DBS can achieve speed 20-30 Mb/s on a 233 MHz Pentium II 
Processor [Dai]. That speed is sufficient for video play. However, the decryption of 
the video may be conducted on a resource-limited chip. In our system, the speed of 
the processor in the tamper-resistant hardware device may be much slower than a 233 
MHz Pentium II Processor. So it is better if we have faster encryption algorithms. We 
show that there is a large room to increase the speed of a symmetric key encryption 
algorithm while maintaining its security as long as the encrypted file is very large. 

It is widely believed that there is a tradeoff between the speed and security 
strength of a cipher. It is a big challenge to design a very strong cipher that has very 
fast speed. But if we consider the situation of encrypting large files, it is possible to 
design a cipher with both very fast speed and very strong security. The reason is that 
we can combine a very strong but slow cipher with a very fast but weaker cipher such 
that the combined cipher is very fast and very strong. The reason behind the 
construction is that a weaker cipher may be a strong one if it is used in the way that 
each key is used to encrypt a limited amount of messages only. Just looking at those 
powerful cryptanalysis techniques, such as differential attack [BS91] and linear attack 
[Mat93], large amount of chosen/known plaintext/ciphertext pairs are always the pre- 
condition. 

In our scheme we combine fast stream ciphers with secure block ciphers. 

Let SE denote a strong encryption algorithm, such as AES, and FE be a weaker 
but very fast encryption algorithm, such as some fast stream-cipher. Denote a 
plaintext by M„ where Mi is a block of size same as that of SE. Let W be a 

key, the encryption can be done as follows 

Ciphertext = SE{K, M{)\\FE{Ki, MzMsD A4)|| 

SE{K, M,,i)\\FE{K2, MwD ^2^)11 

□ Dll 

SE(K, M,t^i)\\EE(Ki^u M„) 

where Ki+i^SE(K, SE(K, (/=0,1,D ,t) are called segment keys. The k 

(segment size) is the value determined by FE such that FE is strong enough if one 
key is used to encrypt at most k blocks forever. 

It is obvious that such combinations have speed advantage only for large files. If 
the plaintext consists of only a few blocks, the speed is close to that of SE. But if the 
plaintext is large and the k is fairly large, the speed is close to that of FE. In analogy 
this is like to construct a door with steel frame and plastic filling pieces such that the 
door is as light as a plastic door while as strong as a steel door. The k is like the size 
of the grid. The smaller it is, the more secure the scheme. 

Dividing the video into segments is also needed for fast-preview. The video can be 
played from any segment. In Appendix, we show two concrete ciphers with speed 
300 Mb/s, and 1,500 Mb/s on a 233 MHz Pentium II Processor. 

We have seen some research papers, such as [MS95, QNT97, Tan96 etc] on 
increasing video encryption speed by exploiting the structures of MPEG. But none of 
them can compare with our solution. Ours is very much faster as long as the 
encrypted file is large. 
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7 PKC with Fast Decryption 

In our system, a tamper-resistant hardware device contains a private key of a PKC 
(public key cryptosystem). The PKC decryption is conducted in the device. Although 
any PKC can be used in our system, a PKC with fast decryption is favored for 
lowering the cost of the device. It is well known that RSA can be made fast for 
encryption. But PKC with fast decryption has rarely been studied. In this section we 
make an effort to design a PKC with fast decryption. We propose a PKC that is much 
faster in decryption than RSA and at least ten times faster than MultiPrime, while the 
security strength is the same. The PKC proposed here is similar to Shamir B 
unbalanced RSA except that we have a small d. In RSA a small d is dangerous. We 
show that our scheme is immune to small d attack. To our knowledge, this is the first 
PKC design for fast decryption. 

Algorithm Description 

Private key: primes p, q (better p, q are safe primes) and an odd number d . 

Public key: n{n^pq), e(ed=l mod ^-1). 

Encryption: mod n where m (0<m<q) is the plaintext, c is the ciphertext. 

Decryption: m=c'^ mod q 

It is easy to verify that the decryption is correct. The scheme is different from RSA at 
the point there is an expansion from plaintext to ciphertext. 

Fast Decryption 

We take |«|=1024, 1^1=341 and |<i|=120. The decryption speed of this scheme is 
apparently much higher than 1024 bit RSA. But the most important issue is the 
security. It is dangerous to take small d in RSA. In our algorithm, however, a small d 
is conjectured to be safe. 

Security Analysis 

Small d. It is shown in [Wie90] that if d is small, say |fi?|<|«|/4, then the RSA 
scheme can be broken. The attack is very simple and beautiful: 

In number theory we have: if r\/^ is an approximation of a 
known number c within l/<^, i.e., |c-t 7 /<^|<l/( 2 <^), then r\ and ^ can 
be efficiently computed out by continuous fraction. Since ed=l 
mod (p(n), we have ed=k(p(n)+l for some k, |k|<|<i|. Then 
\e/n-k/d\=\(kp+kq-k+l)/(nd)\<l/(2d^) due to |fi?|<|«|/4. Therefore, k 
and d can be quickly computed from e and n. 

In [BD99], the result is improved to breaking RSA for |<i|<0.292|«| by lattice 
method, which can be regarded as the generalization of approximation in multiple 
dimensions. In both [Wie90] and [BD99], the e satisfying ed=\ mod (p{n) is the key 
point. But in our scheme, the e satifies ed=\ mod q-\ instead of mod (p{n). If we 
target at the J'such that ed=l mod (p(n) for public key e, the J'must be very large. 
Another attack to small exponent d is the meet-in-the-middle attack that is similar to 
the birthday attack but requires FFT technique. The complexity of that attack is 

0((log d- Y yfd) ■ Therefore taking 120 bits gives a security level of 2™~*°. 

Chosen Ciphertext Attack. The scheme is fragile to chosen ciphertext attack. An 
attacker can choose a M>q and set c=Af mod n. The decryption m=c‘^ mod q satisfies 
gcd(«, M-m)~q. However this attack does not cause any problem if we carefully 
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choose a mapping format before encryption, as done in [BR94] and [OU98], which 
provide provable security. Besides, the application of the scheme in our video system 
prevents the chosen ciphertext attack since the decrypted value never goes out of the 
tamper-resistant hardware device. The decrypted value is the key to encrypt video. So 
chosen ciphertext attack does not apply. 

Factorization. In our scheme, « is a composite of two primes with different sizes. 
For the situation where n has 1024 bits and the smaller prime factor has 341 bit, the 
current factoring techniques cannot provide better performance than factoring 1024- 
bit n with two equal-size primes. This is because the most efficient number field sieve 
algorithm has complexity T„(l/3, c), which is dependent on size of n. Elliptic curve 
factoring algorithm is dependent on the size of the smaller prime q, but it has 
complexity T^(l/2, c). So currently available factoring techniques do not make 
factoring our n easier. The same argument is taken in [OU98], where n=p^ q has 1024 
bits, and in MultiPrime [Compaq] where n (|«|=1024) is a composite of three different 
primes. 
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Appendix 

Fast Encryption Scheme I 

Now we introduce the first scheme of our fast encryption framework. AES is 
supposed to be the encryption standard for this whole century. It is regarded unbroken 
unless some impossible breakthroughs in math take place. Therefore, we take SEQ as 
AES (Rijndael). The stream cipher FEQ is given as follows. The whole picture of the 
scheme is described in Section 6. 

Description of the Stream Cipher EEQ 

The stream cipher has a 128-bit key size and operates on 32-bit plaintext 
strings b^b 2 ' ■■ b^ - • ■ . Denote the 128-bit key as k = k^k^k^k^, where k, s are 32-bit 
strings. Define 

F{k,x) = {{{{x + k^)®k 2 )y~k^)®k^)^ 

where v is a 32-bit string, © is the bit-wise XOR, + and X are mod 2^^ addition 
and multiplication respectively, and J is to reverse the 32 bits into opposite ranking. 
Encryption of the plaintext strings ^ 1^2 ‘ given by 

= 6,. © F{k, F{k, F{k, ) © 6,._j ) © dj_2 ) 

where d^d 2 ---d^--- are the corresponding ciphertext strings and where d_^,dQ,b^ 
are set to k 2 , k^, k^, respectively. 

We implemented the encryption scheme on a 233MHz Pentium-II/MMX processor 
(The encryption speed of Serpent on the same processor is about 25.8 Mbit/s). The 
experiment are given in the table below. 



Table 1. Experiment Results of Encryption Scheme I 



Total Data Size 
(bits) 


Segment 

Size 

(bits) 


Test 1 
(Mbit/s) 


Test 2 
(Mbit/s) 


Test 3 
(Mbit/s) 


Test 4 
(Mbit/s) 


Average 

Speed 

(Mbit/s) 


5,242,880,000 


32,768 


297.0 


296.1 


297.0 


297.0 


296.7 


5,242,880,000 


65,536 


304.0 


302.9 


304.0 


304.0 


303.7 


5,242,880,000 


131,072 


307.0 


307.0 


307.0 


308.1 


307.3 


5,242,880,000 


262,144 


309.1 


309.1 


309.1 


309.3 


309.2 








































Secure and Private Distribution of Online Video 



203 



Security Discussion 

Security of the secret key: The secret key K is protected by SE{) which by our 
assumption, is secure against all known attacks. 

Meet-in-the-middle attack to segment keys: This is a type of brute force attack. 
By meeting one or more bits in the middle, the attacker exhaustively search the key 
bits relevant to these middle bits. Since we take 3 rounds of F, the meet-in-the-middle 
attack does not work. This is because at least one of the two sides of the middle bits 
goes through two rounds of F\ therefore, at least 96 bits of the key effect one middle 
bit. 

Chosen ciphertext attack to segment keys: It is well known that all stream 
ciphers that have ciphertext feedback are vulnerable to chosen ciphertext attacks. 
Suppose our stream cipher was defined as 

d- = b- © F{k, F(k, F(k, ) © d -_^ ) © d -_^ ) . 

By letting d-_^ —d\_^, t /,_2 = d \_2 and and d differing in only one bit, an 

attacker can ask for the decryption of di and d , by applying the differential attack. 
However, our stream cipher is defined by 

t/,. = b, © F{k, F(k, F{k, d,_, ) © V, ) © d,_2 ) 
which has both ciphertext and plaintext feedback. In this case, if the attacker 
chooses both plaintext and ciphertext, the decrypted plaintext from the chosen 
ciphertext will have a very small chance to match the chosen plaintext. On the other 
hand, if the attacker tries to find such match from known plaintext/ciphertext (instead 
of chosen plaintext/ciphertext), the required number of known plaintext/ciphertext 

pairs is around 2"^* blocks (like the birthday attack to 2^^). However, this 

amount of plaintext/ciphertext pairs will not be available to the attacker since our 
segment size can never be so large. 

Fast Encryption Scheme II 

This encryption scheme is identical to Scheme I except that it uses another very 
fast stream cipher FEQ, which is given below. 

Description of the Stream Cipher EE() 

This stream cipher is used to expand a 128-bit key into a key stream of a plaintext 
segment size. Before illustrating its detailed design, we introduce the notations below: 
T : a table containing 19 elements, with each element consisting of 32 bits. 

Ti : the /th element of the table T 

k: the 128-bit secret key, consisting of four 32-bit words: kf^,k^, k 2 and k^ ■ 

c^: a 32-bit constant generated from the constant e as c, = (e X & 

OxFFFFFFFF, i = 0to 18. 

r' : a constant between 3 and 14. It is generated from the constant K as 

^.'=((;rx2*‘'-"‘*)&0xFF)modl2-H3, i = 0 to 18. 

We use the standard notations &, © and »> to represent bit-wise AND, bit-wise 
XOR and right rotation, respectively. In addition, we define a feedback function F 
and an output function G below. 

Definition of F. The input to F is the table T and a rotation constant r . The 
output of F is given as 

/ = ((r„©r,)+r,3)»> r)©r„ 
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Definition of G. The input to G is the table T and the output is given as 

g = {{T,,+T,,)@T,) + T,. 

The operation of this stream cipher consists of two stages: the initial setup stage 
and the output stage or the main algorithm. 

The initial setnp stage 

1 . Let Ti = Ci + ki mod 4 , for i = 0 to 18. 

2. Let r. = r'+ ((A:,, » 4/) & 0x7^) for i = 0 to 7; 

= r'+({k, » (4x(i-8)))&0xF) for i = 8 to 15; 
r. =r'+{{k^ » (4x(i-16)))&0xF) for ; = 16to 18. 

3. Run the main algorithm below for 38 cycles and prepare for the output. 




The main algorithm: For the tth cycle 
1 . Run the F function with r = r. jg to obtain the value of/ 

2- Let/. =0 to 17, and let /g = / • 

3 . Run the function G and generate the output g . 

We implemented the encryption scheme described on a 233MHz Pentium-II/MMX 
processor. The encryption speed of Serpent on the same processor is about 25.8 
Mbit/s. The experiment results are given in the table below. 



Table 2. Experiment Results of Encryption Scheme II 



Total Data Size 
(bits) 


Segment 

Size 

(bits) 


Test 1 
(Mbit/s) 


Test 2 
(Mbit/s) 


Test 3 
(Mbit/s) 


Test 4 
(Mbit/s) 


Average 

Speed 

(Mbit/s) 


24,903,680,000 


38,912 


1234.9 


1236.2 


1234.9 


1235.5 


1235.4 


24,903,680,000 


79,824 


1370.5 


1370.5 


1369.7 


1370.5 


1370.3 


24,903,680,000 


159,648 


1448.8 


1447.8 


1451.8 


1453.8 


1449.8 


24,903,680,000 


319,296 


1493.1 


1492.1 


1491.2 


1493.1 


1492.4 



Security Discussion of Encryption Scheme II 

First of all, the secret encryption key K is protected by SE. Therefore, attacking the 
key is as hard as attacking AES, which is supposed to be absolutely secure against all 
attacks. Second, each segment key generated by SE is used to encrypt a plaintext 
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segment of very limited length by the stream cipher. For known ciphertext attack, our 
stream cipher can resist a large number of known ciphertexts. 

The security of this stream cipher greatly depends on the feature that those 19 
elements of the table T are updated in a non-linear way as the encryption goes on. 
With the carefully chosen parameters of function F, we can show that any two outputs 
of F are generated from at most one of the same elements of T. We note that each 
updated element, which is the output of F, is the non-linear combination of four 
elements of T. The key-related rotation amount in F strengthened the cipher further. 
With these unknown rotation amounts, we believe that it would be very difficult to 
find linear relationship among the elements of T. 

The key stream is also generated from the elements of T in a non-linear way. The 
parameters of function G are carefully chosen so that any two outputs of G are 
generated from at most one of the same elements of T, and any output of G is 
generated from at most one of the same elements of T as any output of F (the updated 
element). Thus recovering the continuously updating elements of T from the output of 
G or revealing the linear relationship among the generated key stream becomes 
almost infeasible. 

In this stream cipher, the elements of T are modified in a non-linear way. Thus it is 
not possible to compute the period of the generated key stream cipher. However, the 
period would not be a problem here. There are 19 32-bit elements of T. It is very 
unlikely that those elements will come back to their initial values even in the process 
of generating a 2*^* -bit key stream. Furthermore, the stream cipher is used to encrypt 
only one package. The period of the output key stream is believed to be far larger than 
the size of a package. 
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Abstract. Many algorithmic problems, which are used to prove the se- 
curity of a cryptographic system, are shown to be characterized as the 
subgroup membership problem. We then apply the subgroup membership 
problem to private information retrieval schemes following the method 
by Kushilevitz and Ostrovsky. The resulting scheme has the same com- 
munication complexity as that of Kushilevitz and Ostrovsky. 



1 Private Information Retrieval 

Chor, Goldreich, Kushilevitz and Sudan P| introduced the private information 
retrieval scheme for remote database access, in which the user can retrieve the 
data of user’s choice without revealing it. Their scheme attains information the- 
oretic security, however, the database must be replicated in several locations 
where the managers are not allowed to communicate each other. The computa- 
tional private information retrieval scheme was introduced by Chor and Gilboa 
Their scheme attains more efficient communication than Chor, Goldreich, 
Kushilevitz and Sudan’s model by sacrificing the information theoretic security, 
nevertheless, their scheme enjoys computational security by assuming the exis- 
tence of pseudorandom generators. However, their scheme still needs replication 
of the database. Kushilevitz and Ostrovsky 0 introduced a computational pri- 
vate information retrieval scheme in which only one database is needed. Their 
scheme depends on the intractability of the quadratic residue problem. More 
efficiency, polylogarithmic communication complexity, is attained by Cachin, 
Micali and Stadler |2| . They assume a number theoretic hypothesis, which they 
call the assumption, and sacrifice one-round communication and then obtain 
polylogarithmic communication complexity. However, a rigorous proof of the in- 
tractability of the assumption or its equivalence to a widely used assumption 
like the quadratic residue assumption or the integer factorization is not given in 
0. We summarize the known results on private information retrievals in Table 
[0 below. 

We briefly review the general scheme of a private information retrieval (PIR 
for short) scheme. A computational PIR scheme with a single database is a 
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protocol for two players, a user U and a database manager VB. Both are able to 
perform only probabilistic polynomial time computation. The database manager 
VB maintains a database, which is a binary sequence X = xqX\X 2 • • ■ Xn-i- The 
goal of the protocol is to allow U to obtain the ith bit Xi+\ of X without leaking 
any information on Xi to VB. The protocol runs as follows: 

Step 1 U computes a query Query (f) using his random tape (coin toss), which 
U keeps secret. Then he sends Query(f) to VB. 

Step 2 VB receives Query (i). He performs a polynomial-time computation for 
the input X, Query (i) and his random tape. The computation yields the answer 
Answer(Query(f)). He sends Answer(Query(i)) back to U. 

Step 3 hi receives Answer(Query(f)). He performs a polynomial-time com- 
putation using the answer Answer(Query(t)) and his private information (his 
random tape). The computation yields the ith bit Xi+\ of the database. 

Correctness 

For any database sequence X and for any query Query (f) for ith bit oi X, U 
obtains Xi at the end. 

Privacy 

VB cannot distinguish a query for the tth bit and a query for the jth bit for 
all i and j by a polynomial-time (probabilistic) computation with non-negligible 
probability. Formally, for all constants c, for all database of length n, for any 
two 1 < j < n, and all polynomial-size family of circuits Ck, there exists an 
integer K such that for all k > K we have 

|Prob(Cfc(Query(i)) = 1) - Prob(Cfc(Query(j)) = 1)| < a , (1.1) 

where k is the security parameter of the protocol and a = (Max(fc n))<= - 

Computation 

Computations of both VB and U are bounded above by a polynomial in the size 
n of the database and the security parameter k. 

2 Subgroup Membership Problem 

The quadratic residue (QR for short) problem and the decision Diffie-Hellman 
(DDH for short) problem have numerous applications in cryptography, and 
hence, they have been studied in detail. Our aim of this paper is to generalize and 
formalize them as the subgroup membership problem and to show many other al- 
gorithmic problems, which are used in public key cryptography, are characterized 
as the subgroup membership problem as well. Such a unification of algorithmic 
problems used in cryptography has not been appeared up to date as far as the 
authors are concerned. Widely used assumptions in cryptography are divided 
into two groups: the algorithmic assumptions related to the integer factoring 
(and the QR) and the algorithmic assumptions related to the discrete logarithm 
problem (and the DDH). The first is originated from the RSA cryptosystem and 
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Table 1. Several Private Information Retrieval Schemes 



Scheme 


Round 

Number 


Security Assumption 


Communication 

Complexity 


Number 
of DBs 


Chor, Goldreich, 
Kushilevitz, 
Sudan |21 


1 


Information Theoretical 


CO 

O 


> 2 


Ambainis Q 


1 


Information Theoretical 


for 

k{> 1) DBs 


> 2 


Chor and 
Gilboa 13] 


1 


Existence of 

Pseudo Number Generators 


0{rf) for c > 0 


> 2 


Kushilevitz and 
Ostrovsky pj 


1 


Quadratic Residue 
Problem Assumption 


0{n'^) for c > 0 


1 


Ostrovsky and 
Shoup 121 


Multiple 


Reduction to 
Read only scheme 






Gachin, Micali 
and Stadler Q 


2 


$ Assumption 


Polylogarithmic 


1 


Proposed Scheme 


1 


Subgroup Membership 

Assumption 

(e.g. DDH assumption) 


0{n‘^) for c > 0 


1 



the second from the Difhe-Hellman key exchange protocol. These two look dif- 
ferent and are usually discussed separately. The unified approach to the integer 
factoring problem and the discrete logarithm problem shed light on the funda- 
mental properties of algorithms required to provide the security. Therefore, we 
can get better understanding of the algorithmic problems by unified treatment 
of subgroup membership problems. 

Once we prove that the subgroup membership problem is applicable to a 
certain scheme in general, then any primitive based on the subgroup membership 
problem concerning a specific group is applicable to the scheme in principle. As 
an example, in this paper, we show that any subgroup membership problem can 
be employed to construct a computational PIR system by constructing a PIR 
system using the subgroup membership problem in a general manner. 



2.1 Subgroup Membership Assumption 

Determining the membership of a given element of a certain group in its subgroup 
is not always easy. As a matter of fact, the membership problem of a subgroup 
in a finitely presented group is not recursive in general. To apply the member- 
ship problem to cryptographic schemes such as asymmetric cryptosystems, we 
require the efficiency of computation for legal participants and the existence of 
a trapdoor. In this section we consider the subgroup membership problem with 
a trapdoor, and show that several problems widely used in cryptography are 
characterized as the subgroup membership problem. 
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Let G be a group, and let H be its subgroup. The membership problem is 
to decide whether or not a given element g & G belongs to H. We suppose 
that every element in G has a binary representation of size k, where k is the 
security parameter. The membership can be decided within polynomial time in 
/c if a certain information, called a trapdoor, is provided. The membership of 
an element g G G in H can be decided provided the trapdoor, however, the 
membership cannot be decided with a probability substantially larger than ^ 
without the trapdoor. We now formalize the subgroup membership problem. 

Let k be the security parameter. For the input 1^, a probabilistic polynomial 
time algorithm XQ outputs the description of a group G, the description of 
a subgroup H C G and the trapdoor that provides a fast algorithm for the 
subgroup membership problem of H in G. The algorithm TQ is called the instance 
generator. Every element of G is represented as a binary sequence of length k. 
Computation of the multiplication in G is performed in polynomial time in k. 

The predicate for the membership of a subgroup is denoted by Mem, that is, 
Mem is defined as follows: 

Mem(G,iJ,x) = -f ^ ^ ^ 

10 if cc € o , 

where IQ outputs the pair (G, H) for x is in G, and S = G \ H. The 
subgroup membership problem is to compute Mem in polynomial time in k when 
we inputs 1^ and obtain a pair of groups (G, H) and an element g in G, which 

is uniformly and randomly chosen from H or G according to the coin toss b <— 
{0,1}. If there does not exist a probabilistic polynomial time algorithm that 
computes Mem with a probability substantially larger than then we say that 
the membership problem is intractable. We also assume that one can choose 
uniformly and randomly an element from both H and G. This is significant to 
apply to cryptographic schemes. 

The following is trivial, however, it is useful for the construction of an PIR 
system based on the subgroup membership problem. 

Proposition 1. Let G be a group, and let H be a subgroup of G. For any g G G 
and h G H, we have gh G H if and only if g G H . □ 

Subgroup Membership Assumption I 

For every constant c, and every family (G^ | fc G Nj of circuits of polynomial 
size in k, there is an integer K such that for all k > K we have 

Prob(Gfc(G, H, g) = Mem(G, iJ, g)) < i + 1 , (2.1) 

where the probability is taken over (G,H) ^ XQ(l^), b ^ {0,1}, g ^ H if 
b=l, g^ S iib=0. 

The assumption claims that there exists no polynomial size circuit family 
to compute the predicate Mem. The following is equivalent to the assumption 
above. 
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Subgroup membership assumption II 

For every constant c, and every family {C/c | fc £ N} of circuits of polynomial 
size in k, there is an integer K such that for all fc > AT we have 

|Pi/-P5|<^, (2.2) 

where the probabilities Ph and Ps are defined as follows; 



P// = Prob, 









and 



P.c = Prob 









2.2 Examples 

We exhibit several subgroup membership problems: the DDH problem, the QR 
problem, the rth residue (RR for short) problem studied by Kurosawa and Tsu- 
jii the p-subgroup (PSUB for short) problem introduced by Okamoto and 
Uchiyama m and the decisional composite residuosity (DCR for short) prob- 
lem introduced by Paillier PH . Recall that the assumption that the QR problem 
is intractable (QR assumption) is employed to prove the semantic security of 
Goldwasser-Micali cryptosystem [3|, and the assumption that the DDH problem 
is intractable (DDH assumption) is employed to prove the semantic security of 
ElGamal cryptosystem. These two have many other applications. The assump- 
tion that one of problems above is intractable is employed to prove the semantic 
security of the corresponding cryptosystem m, PH. respectively. We also 
note that the security of the cryptosystem introduced by Naccache and Stern jS| 
depends on the PSUB assumption as well. 

Quadratic Residue Problem 

Let p, q be primes. Set N = pq. The primes p and q are trapdoor information 
for the quadratic residue problem, on the other hand, the number N is public 
information. Let G be the subgroup of (Z /(TV))* consisting of the elements whose 
Jacobi symbol is 1, and let H be the subgroup of G consisting of quadratic 
residues of G, that is, H = {x G G \ x = mod N for y G (Z/(7V))*}. The 
quadratic residue problem of iL in G is to decide whether or not, a given element 
g G G, g belongs to H . We can effectively determine the membership of g in 
H provided that the information p and q are available. No polynomial time 
algorithm is known for the membership of a randomly chosen element of G in iJ 
without the information p and q. Hence, if we define an instance generator for 
the QR problem as a probabilistic algorithm that outputs two primes p and q of 
size k and a quadratic non-residue h whose Jacobi symbol is 1 for the input 1^, 
then the QR problem is considered as a subgroup membership problem. Note 
that we can obtain a quadratic non-residue h with Jacobi symbol 1 by using 
p, q, and that it is possible to uniformly and randomly choose elements from H 
without the trapdoor information provided h is given. 
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Decision DifRe-Hellman Problem 

Let C be a cyclic group of prime order p. The group C may be a multiplication 
group of a finite field or a group of rational points of an elliptic curve. Let 5 be a 
generator of C. The decision Diffie-Hellman problem is to decide whether or not 
ft-2 = 92 for the given quadruple (51, /ii, 52, ^2) of elements in C with hi = gf 
for some 1 < a < p — 1 . If so, we say that (pi, /ii, p2, ^-2) is a Diffie-Hellman 
quadruple. The integer a is the trapdoor of the decision Diffie-Hellman problem. 
Knowing the trapdoor a, we can efficiently decide whether or not /12 = 

We show that the DDH problem can be characterized as a subgroup mem- 
bership problem for a certain group. We set G to be the direct product C x C. 
Then the input to the DDH problem is (x, y) where x,y € G, that is, x = (pi, hi) 
and y = {92, ft-2)- It is obvious that {gi, hi, 92, ft.2) is a Diffie-Hellman quadruple 
if and only if y belongs to the subgroup < x > of G generated by x. It follows 
that the DDH problem for the cyclic group G is equivalent to the subgroup 
membership problem of the group H =< x >, where x = {gi,9i), in the group 
G = C X G =< 9i > X < gi >. Note that, when a generator x of is given, 
it is possible to choose uniformly and randomly elements from H without the 
trapdoor information. 

Rth Residue Problem 

The RR problem is a natural extension of the QR problem defined as follows. Let 
p, q be primes, and let Ci, 62 be odd integers dividing p—l and q— 1 , respectively, 
such that ei is prime to g — 1 and 62 is prime to p — 1 . Set N = pq and r = 6162. 
The primes p and q are the trapdoor information for the RR problem, on the 
other hand, the number N and r are the public information. Let G be the group 
(Z/(iV))*, and let H be the subgroup consisting of rth residues of G, that is, 
H={xGG\x = y'' mod N for y G G}. The RR problem of in G is to 
decide whether or not, a given element g G G, g belongs to H. Thus, the RR 
is a subgroup membership problem of H in G. We can effectively determine the 
membership of p in iL provided that the information p and q are available. No 
polynomial time algorithm is known for the membership of a randomly chosen 
element of G in iJ without the information p and q. Note that we can obtain 
an element h such that ft.* ^ {x’’ mod N : x G (Z/(iV))*} for any 1 < t < r — 1 
by using the trapdoor information, and that we can uniformly and randomly 
choose an element from H provided ft is given. 

P-Subgroup Problem 

Let p,q be primes such that p does not divide q— 1 - Set N = p^q and let g 
be a random element in (Z/(iV))* such that the order of gP~^ modp^ is p. The 
primes p and q are trapdoor information for the PSUB problem, on the other 
hand, the number N, g, k are public information. Let G be a group defined by 
G = {x I X = g^y^ mod iV for m € ^/(p) and y G (Z/(iV))*}, and let H be the 
subgroup defined by ift = {x | x = y^ mod N for y G G}. The PSUB problem of 
iJ in G is to decide whether or not, a given element g G G, g belongs to H. Thus, 
the PSUB is the membership problem of H in G. We can efficiently determine 
the membership of g in iJ provided that the information p and q are available. No 
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polynomial time algorithm is known for the membership of a randomly chosen 
element of G in iJ without the information p and q. Note that our description 
of PSUB is slightly diffrent from Okamoto-Uchiyama ^OIi where the PSUB is 
introduced as a variant of the coset indistinguishahility problem, which we will 
present in Section 2.3. Naccache and Stern 0 implicitly used PSUB problem 
in their scheme. Paillier introduces the decisional composite residuosity (DCR 
for short). This is a generalization of ^0] and also characterized as a subgroup 
membership problem. 

For other plausible applications of the subgroup membership problem, the 
reader is also referred to in which the DDH assumption is applied to the 
cryptographic schemes which only known method to construct is to base on the 
QR assumption. We summarize the examples above in Table El however, the 
table is not exhaustive at all. 



Table 2. Subgroup Membership Problems 





Related 

Problem 


Group 


Applications 


Subgroup 


DDH 


DLP 

DH 


C X C: Direct Product of Cyclic Groups 


ElGamal 


{{g,h)): Subgroup Generated by {g, h) 


QR 


FACT(pg) 




Goldwasser-Micali |S] 


mod N\x G 


RR 


FACT(pq) 




Kurosawa-Tsujii 13 


{a;’’ mod N \ x G Z)^} 


PSUB 


FACT(p2g) 


{x \ X = g"^y^ mod N for 
m^Zlip), 2/ e (Z/(iV))*} 


0 kamot 0 - U chiyama 

EDI 

Naccache-Stern 0 


{y‘^^ mod N \ y & Z;^} 


DCR 


FACT(pg) 


{x 1 a; = g^y^'^ mod 
meZ/(iV),y€ (Z/(7V2))*} 


Paillier |1 1) 


{y" mod N'^\ye (Z/(7V^))*} 



2.3 Equivalent Problems 

We examine several algorithmic problems equivalent to the subgroup member- 
ship problem. Suppose that XQ is an instance generator of a family of groups, 
and that XQ outputs (G, H) for the input 1^. We set S = G\H. Suppose that t 
is an integer bounded above by a polynomial in k. Let Ki be the direct product 
of t — 1 H’s and S, where all jth position (j yf i) is occupied by H except for 

i 

ith position, that is, Ki = H x H x ■■■ x S' x • • • x iJ for every i = 1,2, . . . ,t. 
Let L be the union of Ki, K 2 , ■ ■ ■ , Kt, that is, L = RTi IJ RT2 U ’ ’ ' U 
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Pattern Indistinguishability Assumption 

The pattern indistinguishability assumption is to assume the following holds: for 
every constant c, every family {Cfc | fc € N} of circuits of polynomial size in k 
and all i,j such that 1 < i, j < n there is an integer K such that for all fc > A 
we have 



\Pi 




Here the probabilities and Pj are defined as follows; 



(2.3) 



P^ 

P. 



; (si.92... 



{Ck{G,H,i,gi,g 2 ... 
{Ck{G,H,i,gi,g2 . . . 



,9t) 

,9t) 



1 ) , 
1 ) • 



General Pattern Indistinguishability Assumption 

The general pattern indistinguishability assumption is to assume the following 
holds: for every constant c, every family {Gk | fc G N} of circuits of polynomial 
size in k and all {ii,i 2 , • ■ • ,*«) and (ji, j 2 , • ■ • iju), there is an integer K such 
that for all fc > A we have 



|P(nh2.... hu) P(ji.j2.... ju) I ^ ■ (2-4) 

Here the probabilities P ,iu) P(h j 2 ,. . ,ju) defined by 
P(ii.i2,... ,i„) = Prob(Gfc(G, H,xi,X2 ■ ■ ■ ,Xu) = 1 ) , 

where the probability is taken over (G,H) ^ and (xi,X 2 ... ,x„) 

Aij X Ai2 X • • • X Aj„ and 

P(ji02.... = Prob(Gfc(G, A,xi,X2 . . . ,x„) = 1 ) , 

where the probability is taken over (G, A) ^ X^(l*) and (xi,X 2 -- - ,x„) 

Aji X Aj, X ••• X Aj„. 

Coset Indistinguishability Assumption 

The coset indistinguishability assumption is to assume the following holds: for 
every constant c, every family {G^ | fc G N} of circuits of polynomial size in k 
and every algorithm F that on input (G, H) outputs a pair of elements in G, 
there is an integer A such that for all A: > A we have 

Prob(Gfc(G, A,go,5i,5) = ^) < ^ + ^ , (2-5) 

where the probability is taken over (G,H) IQ(1^), {go, gi)^F{G, H), b ^ 

{0, 1} and g ^ gsH. 
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Theorem 1. The following are equivalent. 

(1) The subgroup membership assumption I. 

(2) The subgroup membership assumption II. 

(3) The pattern indistinguishability assumption. 

(4) The general pattern indistinguishability assumption. 

(5) The coset indistinguishability assumption. 

Proof. We show the equivalence among (1), (2), (3). Note that (1) clearly 
implies (3). The proof for the equivalence among (1), (4) and (5) is omitted. 

(2) implies (1): Suppose that there exists a constant c and that for every K, 
there is k > K such that the circuit Ck does not satisfy (EH). Note that 
Prob(C/j;(G, iJ, (?) = Mem(G,i?, (/)) = \P h + ^(1 ~ Ps)- Since (12.11 does not 
hold, we have \{P h — Ps + 1) > 5 + ^- Therefore we have |P// — P 5 I > 

(1) implies (2): Suppose that there exists a constant c and that for every k, 
there is k > K such that the circuit Ck does not satisfy (IZ3). For the circuit 
Ck, we have Proh{Ck{C, H, g) = Mem{G,H,g)) = ^Ph + 5(1 - Ps) = 
i(l + P^-Ps)>i + ^. 

(3) implies (2): Suppose that there exists a constant c and that for every k, there 
is k > K such that the circuit Ck does not satisfy (12., SK . Construct a circuit 
G^ as follows. Given {C,H) and g G C, we choose uniformly and randomly 
xi,X 2 , ■ . ■ , Xt -2 form H. We also choose uniformly and randomly y from H. We 

R i 3 

toss a coin, say, b {0,1}. If 6 = 0, then we input {G,H,xi,X 2 , ... ,V,. ■ . ,9 
, . . . , Xt- 2 ), and the circuit G{ returns the output of Ck. If 6 = 1, then we input 

2 3 

(G, H,xi,X 2 , . ■ . ,9,. . ■ ,y, ■ ■ ■ , Xt- 2 ), and the circuit G{ returns the negation of 
the output of Gfe. li g G S, then we have Prob(G{(G, iJ, g) = 1 : 5 <— S') = 
|Pi + |(1 — Pj). li g & H, then we have Pvoh\c'f.{C , H , g) = 1 : 5 <— iJ) = 
^9 + i(l — 9), where 9 = Prob(Gfc(G, H, gi,g 2 , ■ ■ ■ ,9t)) and the probability is 
taken over oi, oo, . • . are taken uniformly and randomly from H. It follows 
that|P,-P.|>i|p!-P,|>^. 

3 PIR Based on the Subgroup Membership Problem 

We show that the subgroup membership problem can be applied to a PIR scheme 
by modifying Kushilevitz and Ostrovsky’s scheme (Sj. The proposed scheme 
has the same communication complexity as Kushilevitz and Ostrovsky’s scheme 
whose security depends on the QR assumption. On the other hand, the security 
of the private information retrieval scheme proposed in this paper is based on 
the subgroup membership assumption. Therefore, we can construct a private in- 
formation retrieval scheme based on any algorithmic problems in Section 2.2, in 
particular, we can use groups of rational points on elliptic curves or multiplica- 
tive groups of finite fields under the corresponding DDH assumption. We should 
remark that all the private information retrieval schemes proposed so far depend 
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on either the existence of pseudorandom number generators or intractability as- 
sumption related to the integer factorization. No private information retrieval 
scheme based on the DDH has been proposed, yet as far as the authors are 
concerned. Modifying we construct a PIR scheme based on the subgroup 
membership problem. 



3.1 Basic Idea 

First of all, we explain the basic idea of the scheme by a simple model. Suppose 
T>B has the database X = xqXiX 2 ■ ■ • Xn-i and that U wishes to know the ith 
bit Xi-i- U chooses group elements go, gi, g2, ■ ■ ■ ■, gi-i, ■ ■ ■, ffn-i so that gj G H 
for j t — 1 and gi-\ G S = G\H. Then U sends them all to T>B. VB computes 
the group element g = go°gTgT ' ' ' sends it back to U. VB 

cannot get to know which of go, gi, g 2 , ■ ■ ■ , gi-i, • ■ • , gn-i comes from S if the 
subgroup membership problem of in G is intractable. Since hi possesses the 
trapdoor, he can determine whether or not g lies in H. By Proposition 1, g lies in 
H if and only if Xi-i = 0. Therefore, U can obtain the tth bit Xi-\. This simple 
model illustrates the idea of using the subgroup membership problem, but the 
communication complexity is still large. We need the trick by pj to reduce the 
communication complexity. 



3.2 Scheme 

Step 0 The user U inputs 1*^ to the instance generator XQ and then gets a pair 
(G, H) of groups and the trapdoor for the subgroup membership problem of H 
in G, where k is the security parameter and every element of G is represented by 
a binary sequence of length k. We assume the subgroup membership assumption 
of H in G. The group G is shared by both VB and U. On the other hand, 
hi keeps the trapdoor information for the subgroup membership problem of H 
secret. Computations of both VB and U are performed in the group G. Let X 
be the database managed by VB. We suppose that X = xoX\X 2 ■ ■ ■ Xn-i, where 
Xi G {0,1}, and that n = , where t, I are positive integers. 

Step 1 U computes a query Query (i) for his desired bit xt-i, where 1 < i < n, 
in the following manner. First, U computes the t-adic expansion of i. Let i = ap. 
Then the t-adic expansion of i is PiPi-i • • ■ /32/3i> where 

ao = a\t + j3\ 0 < oo < ~ 1, and 

a\ = a 2 t + (32 0 < oi < — 1, and 

Q !2 = oiot + (3o 0 < 02 < — 1, and 

0 < ai -2 <t—l, and 0 < (3i-i <t—l 
0 < ai-i = Pi <t — I and a; = 0 . 



0< Pi <t-l 

0<P2<t- I 
0<P3<t-l 



ai-2 = ai-it + Pi-i 
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For each u {1 <u <1),IA chooses uniformly and randomly t—1 elements 5(u_o)> 
9(u,i), • ■ • , ff(u,/3„+i), • ■ • , 9(u,t-i) from H. He also chooses uniformly 

and randomly g{u,f3u) from S = G \ H . lA defines Q{u) by 

{9(u,0)t 9{u,l)t ■ • ■ 7 9{u,0u — '^)'> 9{u,0u)^ 9{u,Pu + ^)^ ' ' ' ^9{u,t—l)) 5 (^-^) 



that is, Q{u) is a sequence of group elements of G such that the /3uth component 
is uniformly and randomly chosen from S = G\H and the others are uniformly 
and randomly chosen from H. Then, <5(1), Q(2), ..., Q{1) comprise a query 
(denoted by Query(i)) for the ith bit Xi-i of X, and U sends Query(i) to T>B. 
Since each Q{u) consists of t group elements from G, Q{u) is represented by fc x t 
bits. Thus, Query(i) consists of k x t x I bits. 

Step 2 Receiving Query (i), T>B constructs child databases recursively from 
the original database X. We regard X as the x t binary matrix 



D{0,\) 



/ Xo Xi X2 ■■■ Xt-l\ 
Xt Xt+l Xt+2 • • • X2t-1 





where A denotes the empty sequence in {0,1,2,... , fc — 1}*. We note that the 
target bit Xi-\ is the (ai, /3i) entry of iA(0, A) (ai and (3i are obtained in (Id. 11) 1. 
Denote it by Target(D(0, A)). 

We recursively define child databases D{u,s), where 1 < u < I and s G 
{0,1,2,... , fc — 1}“. Suppose that we have defined the databases D{u, s) and 
their target bits Target(D(u, s)) and s G {0,1,2,... ,k — 1}“ for 0 < w < Z — 1. 
Then we define the databases D{u+ 1, sO), D{u+ 1, si), . . . , D{u+ 1, s{k — 1)). 

The database D{u, s) is a binary sequence of length We regard D{u, s) 
as a X t binary matrix. Suppose that 

/ 2/0 2/1 2/2 • 2/t-i \ 

D{u,s)= ^2*-' . 

\2/t'-“-t 2/t'-“-i+i 2/t'-“-i/ 



We now construct k child databases, D{u + 1, sO), D{u + 1, si), . . . , 

D{u + 1, s(fc — 1)). 

Recall that Q{u) consists of t group elements 9(u,q), 9{u,i), ■ ■ ■ ,9{u,t-i) 
in G (defined in ll.'l.2ll V We define a group element for each row v = 
0,1,2,... , — 1 as follows. We set 



f{v 



9{u,w) if D{u,s){v,w) = I 
1 if D{u, s){v,w) = 0 , 



where D{u, s){v,w) denotes the (v,w) entry of D{u,s). Then we set 



(3.3) 



n /(. 



u;=0,l,2,... ,t-l 



f D(u,s) 



(3.4) 
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for each row v = 0,1,2, ... ,t’’ “ ^ — 1. We note that the group element fD{u,s),v 
{0 < V < — 1) is of size k, and that fD{u,s),v G -ff if and only if 

D{u, s)(u, Pu) = 0 by Proposition^ The rth child database D{u+1, sr) (0 < r < 
k — 1 ) is defined to be the sequence consisting of go(r), gi{r), . . . , g^i-u-i_i(r), 
where 5 «(r) denotes the rth bit of the representation of fD(u,s),v Hence, we have 
the following matrix equation: 

^ f D{u,s).0 \ 

= {D{u + 1, sO) • • • D{u + 1, s{k - 1))) (3.5) 

where each fD{u,s),v is a row vector and each D{u + l,sr) is a column vector. 
Thus, D{u+1, sr) is a binary sequence of length We regard it as a 

t binary matrix. Then the target bit for it (denoted by Target (H(u + 1, sr))) is 
defined to be the (a„+i, /3„+i) entry of D{u+1, sr) for every r G {0, 1, . . . , k— 1} 
(a„+i and Pu+i are obtained in li;-i. lll i. 

Step 3 In the last stage of constructing child databases, T>B obtains 
databases D{1 — 1, s) (s G {1,2,... , Note that each D{1 — 1, s) contains 

t bits. We regard D{1 — 1, s) as a 1 x < matrix. For each D{1 — 1, s), we define a 
group element H(s) as follows. First, we define 



f{0,w) 



g{u,w) if £>(Z - l,s)(0,u;) = 1 
1 if D[l - l,s)(0,tc) = 0 . 



Then, we set fD{i-i,s),o = 0 f(o,w) = H(s). The group element H(s) is 

U)=0,l,2,... ,t-l 

of size k for every s G {0, 1,2,... ,k — 1}*“^. Then the group elements H(s) (s G 
{0, 1, . . . ,k — 1}*“^) form the answer Answer(Query(i)) to the query Query(i), 
and VB sends Answer(Query(i)) to U. 

Step 4 U receives Answer(Query(i)) consisting of A(s), where s G 
jo, 1, . . . ,k— 1}*“^. U can retrieve the target bit Xi = Target(I?(o,A)) in polyno- 
mial time in k,n. In fact, the following holds in general. 



Theorem 2. For every database D(^u,s), where 0 < u < I — 2 and s G 
{1,2,... , fc}“, U ean eompute Target(Z)(i( s)) in polynomial time in n,k if 
Target(Z?(„+i,sO))> Target(T)(„+i_^i)), ..., Target(D(„+i_j,(fc-i))) are given. 

Proof. Suppose that we have the information 



Target(£)(„+i_sO)), Target(Z)(u+i_si)), ... , Target(T)(„+ys(fe-i))) ■ 

Recall that U knows the trapdoor for the subgroup membership problem of 
the subgroup H and the secret information that g{u,(3u) ^ S = G \ H 

and 9{u,i)t ■ • ■ 9{u,i3u—i)-} ? 9{u,t—i) ^ where 

(^('u) {9{u,o)'> 9{u,i)') • ■ • '> 9{u^0u—i)^ 9 {u,i 3 u)'^ • ’>9{u,t—i)^- Note that 
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the number j3u is a private information for U. Recall that Target(£)(„^ 5 )) is the 
{au, (3u) entry of the database D(u,s) ■ By the computation of T>B in E3), we have 
fD{u,s),id^ = n f( 0 u,w)- By Proposition Eland (E3), fD(u,s),p^ & H li 

10 = 0 , 1 , 2 ,... ,t—l 

and only if (a^, /3„) entry is 0. Moreover, fD{u,s),au i® the a„th row of the matrix 

(Z?(m + 1, sO) D{u + 1, si) D{u + 1, s2) • • • D{u + 1, s{k — 1))) 

by lld.dll . Note that a„th bit in the database D{u + l,sr) is the {au+i,Pu+i) 
entry of the matrix D(u + 1, sr) for every r = 0, 1, . . . , fc — 1. On the other 
hand, the {au+i^ Pu+i) entry of D(u+1, sr) is Target(Z)(-,j+i g,.)). Since U knows 
Target(£>(„+i^^o)), Target(0(,,+i_si)), . . . , Target(iD(,,+i_^(fe_i))), he can retrieve 
fD{u,s),au- After retrieving fD{u,s),a^, U checks whether or not /r>(«,s),a„ is in 
H. Therefore, lA can retrieve Target(Z?(,i in polynomial time. □ 



3.3 Privacy 

In the proposed scheme, the query Query(i) consists of Q(l), Q(2), ..., Q{1)^ 
and each Q{u) consists of 

(l?(u,0), 1)’ 9{u,0u)^ 9{u,0u + ^)^ , 9{u,t — l)) , 

where one of the components is chosen uniformly and randomly from S = G\ 
H and the others are chosen uniformly and randomly from H . The privacy is 
assured by the inequality 

|Prob(C'fe(Query(i)) = 1) - Prob(Cfc(Query(j)) = 1)| < a , 

where cr = (Max(fc n))° ’ given in (I I . I II . This is exactly the general pattern indis- 
tinguishability assumption in (12.411 if n is bounded by a polynomial in k. Hence, 
the privacy of the proposed scheme is guaranteed by the subgroup membership 
assumption by Theorem 



3.4 Communication Complexity 

In the first step, U sends Query(i) = {Q{1),Q{2 ), . . . , Q{1)). Each Q{u) consists 
of t group elements in G. Since every element in G is represented by a binary 
sequence of length k, the total bits sent in this stage is I xtxk. In the second step, 
TAB sends Answer(Query(i)) consisting of group elements in G. Therefore, 
the total bits sent in this stage is xk = kK Consequently, the communication 
complexity is Itk+k} = InT k+kK Suppose that k = rf and I = Then we 

have I = and k‘ = (2*°s'=)' = 2“°s'= = 2^'°s”'°s'= = = n^. 

On the other hand, we have Itk + k’’ = k’-{lk + l) < Hence, we have 

Itk + k^ = (n^)^. It follows that the communication complexity is 0{rf). 
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3.5 Small Example 



For good understanding of the scheme, we illustrate with a small example. Sup- 
pose that the database is given by X = xoX\X 2 X^XAX^XQX^x^ = 110010101. 
The size of the database is 9 = 3^ in this example. Let t = 3. The X is 



identified with the t x t matrix D{0, A) 



1 1 0 
0 1 0 
1 0 1 



. Suppose that the user 



U wants to read x^. He computes 3-adic expansion of 7 as in IKl.lll . Then 
we have 7 = 2x3-1- 1, 2 = 0x3-1- 2. Hence, we have oq = 7, ai = 2, 
02 = 0, Pi = 1, /?2 = 2. Then U chooses uniformly and randomly 3 group 



elements 5(o,o),5(o,i), 5 ( 0 . 2 ), where 5 ( 0 , 0 ) and 5 ( 0 , 2 ) belong to H and 5 ( 0 , 1 ) be- 
longs to S = G \ H since /3i = 1. Next, U chooses uniformly and randomly 
3 group elements 5 (i.o), 5 (i.i), 5 (i. 2 ), where 5 ( 1 , 0 ) and 5 ( 1 , 1 ) belong to H and 
5 ( 1 , 2 ) belongs to S' = G \ H since /?2 = 2. The query Query (7) consists of 
Q(l) = ( 5 ( 0 . 0 ), 5 ( 0 , 1 ), 5 ( 0 . 2 )) and Q{2) = ( 5 ( 1 , 0 ), 5 (i.i), 5 ( 1 , 2 ))- It is sent to VB by 
U. Let us assume that every element of G is represented by a binary sequence of 
length 4. T>B receives Query(7) and then performs the following computation. Us- 
ing (|3^, he sets /(o.o) = 5(o,o), /(o,i) = 5(o,i), /( 0 . 2 ) = 1, /(i.o) = 1, /(i,i) = 5 ( 2 . 1 ), 
/(1,2) = 1, /(2,0) = 5(2.0), /(2.1) = 1, /(2.2) = 5(2.2) Corresponding to the database. 
Then, using (EH), he computes /d(o,a),o = /(o,o)/(o.i)/(o, 2 ) = 5(o.o)5(o,i), 

/d( 0,A),1 = /(1.0)/(1,1)/(1,2) = 5(0,1), /r>(0,A),2 = /(2.0)/(2,l)/(2,2) = 5(0, 0)5(0, 2) • 

Suppose that fD(o,\),o, /n(o.A),i, /n(o.A ).2 are represented by 0110, 1010, 1101, re- 
spectively. It is helpful to see it in the matrix form as follows: 



/ /n(o,A),o\ /O 1 1 0\ 

/d(o,a).i = 10 10. 

\/n(o,A),2/ \I 1 1* 1/ 

VB constructs four child databases Tli.o, Il^i.i, Il*i.2, L>i,3, where D(1,0) = 
(011)^,L>(1,1) = (101)'^,L>(1,2) = (110)^,71(1,3)’= (001)'^. Note that we 

( /r>(o,A).o\ 

/n(o,A),i 1 = {D{1, 0) 71(1, 1) 71(1, 2) • • • 71(1, 3)) . For each database, us- 

/r>(0.A).2/ 

ing (5(2) = (5(1.0), 5(1.1), 5(1.2)), compute a group element. For 71(1,0) = 
(011)^, he computes H(0) = 5 (iq) 5 (i, 2 V For 71(1, 1) = (101)^, he computes 
^(1) = 5(1, 0)5(1, 2)- For 71(1,2) = (110)^, he computes A{2) = 5(i,o)5(i,i)- For 
71(1,3) = (001)^, he computes H(3) = 5(i,2)- He sends (H(0), H(l), A(2), H(3)) 
to 77 as Answer(Query(7)) to 77. Receiving Answer (Query (7)), 77 checks the mem- 
berships of A(0), A(l), A{2) and A(3) in 77. Since 77 keeps the trapdoor for the 
subgroup membership problem for 77, he can check the memberships of these 
elements in polynomial time. He finds that A(0), A(l), A(3) G 77 and A{2) G S 
and concludes that /_d(o.a ),2 = 1101. Checking the membership of /_d(o.a ),2 in H , 
he finds that xr = 0. 
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Abstract. An English auction is the most familiar type of auctions. 
Generally, an electronic auction has mainly two entities, the registration 
manager(RM) who treats the registration of bidders, and the auction 
manager(AM) who holds auctions. Before starting an auction, a bidder 
who wants to participate in English auction is registered to RM with 
her/his information. An electronic English auction protocol should sat- 
isfy the following nine properties, (a)Anonymity, (b)Traceability, (c)No 
framing, (d) Unforgeability, (e)Fairness, (f)Verifiability, (g)Unlikability 
among different auctions, (h)Linkability in an auction, and (i)Efficiency 
of bidding. Furthermore from the practical point of view we add two 
properties (j)One-time registration and (k)Easy revocation. A group sig- 
nature is adapted to an English auction in order to satisfy (a), (b), and 
(f)[IH]. However such a direct adoption suffers from the most critical 
drawbacks of efficiency in group signatures. In this paper we propose 
more realistic electronic English auction scheme, which satisfies all of 
these properties. Four notable features of our scheme are: 

(1) both of bidding and verihcation of bids are done quite efficiently by 
introducing a bulletin board, 

(2) anonymity for RM, AM and any participant can be realized to plural 
auctions by only one-time registration, 

(3) RM can easily revoke a bidder, and 

(4) nobody can impersonate any bidder. 



keywords: anonymity, signature of knowledge, bulletin board, easy revoca- 
tion 



1 Introduction 

1.1 Background 

An English auction is the most familiar type of auctions. In an English auction, 
each bidder offers the higher price one by one, and finally a bidder who offers the 
highest price gets a good. An English auction is used on the Internet as well as 
the real world. In an English auction through the Internet, it is important to spoil 
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the collusion of bidders, because Internet makes the formation of ring members 
much easier Therefore anonymity plays an important role in spoiling the 
collusion of bidders. In an English auction, all bid information is published. 
Therefore the competition principle well works and any bidder easily knows 
her/his market price position. This is why an English auction is the most familiar 
style of auctions. In this paper, we investigate an electronic English auction. 

Generally, an electronic auction has mainly two entities, the registration man- 
ager(RM) who treats the registration of bidders, and the auction manager(AM) 
who holds auctions. Before starting an auction, a bidder who wants to par- 
ticipate in English auction is registered to RM with her/his information. As 
for studies about an electronic auction, a sealed-bid auction has been often 
investigated ini ITTl ETl WA EH ITU ITUl 0 El ^ ■ A sealed-bid auction is that 
each bidder secretly submits a bid to AM only once, and a bidder who offers 
the highest price gets the goods. A sealed-bid auction has two problems, (l)the 
competition principle does not work well; (2)a winning bid may be much higher 
price than market one. 

In the case of sealed-bid auction, any canceled bid does not affect the valid 
bidders. However, in the case of English auction, any bid does not allow to be 
canceled. If a bid can be canceled in an English auction, the highest bid may be 
insignificant. Therefore, in an electronic English auction, it is the most impor- 
tant to satisfy the following two properties, (a)Anonymity and (b)Traceablitiy. 
Although any bidder can participate anonymously, it is necessary to identify a 
winner after a bidding. This means that every bid placed in an English auc- 
tion must be verified maintaining the bid anonymity. Addition to the above 
two properties, an electronic English auction should satisfy the following nine 
properties: 

(a) Anonymity: nobody can identify a bidder from her/his signature on a bid. 

(b) Traceability: A winner cannot deny that she/he submitted the winning bid 
after the winner decision procedure. 

(c) No framing: nobody can impersonate a certain bidder. 

(d) Unforgeability: nobody can forge a bid with a valid signature. 

(e) Fairness: all bids should be fairly dealt with. 

(f) Verifiability: anybody can verify a signature on a bid and can confirm 
whether the bidder is valid or not. 

(g) Unlinkablity among different actions: nobody can link the same bid- 
der’s bids among plural auctions. 

(h) Linkability in an auction: anybody can link which bids are placed by the 
same bidder and knows how many times a bidder places a bid in an auction. 

(i) Efficiency of bidding: the computation and communication amount in 
both bidding and verifying a bid is practical. 

1.2 Related Works 



Only a few studies on English auction ||TH EH ITHl ITTl] have been reported as long 
as we know. On the other hand, many studies on a sealed-bid a,iiction|Tni ITTl 
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im 12^ VM mi rm 0 ^3 0| have been proposed because it can realize fairness 
more easily than English auction of public auction. These studies^lEl do not 
concern with the security aspect of public auctions but describe those different 
methods. also proposed an electronic English auction using reverse hash 
chains Pm as a bid, which is similar to multiple sealed-bid biddings in order to 
satisfy fairness. When a bidder participates in an auction, it has two advantages 
that a valid bidder can place a bid many times by using only one-time signature 
and that bidder fairness is satisfied for a non-trusted center. However, in this 
protocol, the following two problems exist: 

1. Anonymity for AM is not satisfied after each bidding since AM knows the 
bidder’s identity. 

2. The bidding points are set up discretely. For n bidding points, it is necessary 
for a bidder to compute hash functions n times. Apparently each bidder 
cannot place a bid as she/he likes. 

m proposed an electronic English auction, which keeps a bidder privacy 
using a slightly modified group signature scheme[7l0 0. So this protocol suffers 
from the following drawbacks of group signature schemes. In their scheme, a 
group manager (GM) works as AM and a group member corresponds to a bidder. 

The first problem, which is the most serious, is rather complicated signature 
generation and verification procedure. In misiniii], a membership certificate 
is used to reduce the data size of public group key0: only a group member 
has the certificate issued by GM. When each member generates a signature 
on this certificate and a bid, she/he is required the proof of the knowledge. 
However the proof of the knowledge needs enormous modular multiplication. In 
an English auction, signature generation or verification corresponds to bidding 
or verification of bids respectively, both of which are required in each bidding. 
In an electronic auction, reducing the computation amount of both signature 
generation and verification are much concerned compared with reducing the 
group public key size. Therefore we realize an electronic English auction with 
both fairly simple bidding and verifying procedures by introducing a bulletin 
board, which is usually used in putting each bid. The important feature of a 
bulletin board is that anybody can check the correctness of the board easily. In 
our protocol, the computation amount for both bidding and verifying a bid can 
be reduced by using a feature of bulletin board. 

The second problem is anonymity. The group signature does not satisfy 
anonymity for GM at all since GM has a special authority. However, in an elec- 
tronic auction, any bidder surely desires that nobody knows how much she/he 
wants to buy goods. Therefore, we need a technique of Escrow scheme ^2), in 
which introduces Identity Escrow Agency(EA) in order to enhance anonymity 
for GM. This scheme realizes the perfect separability between GM and EA: only 
EA can identify a user by himself. This means that, in a sense, anonymity for 
EA is not satisfied at all. In an electronic auction, it is required that neither 
AM(GM) nor RM(EA) can identify the bidder from a signature on a bid, but 
cooperation of both parties can certainly recover the identity. In our protocol. 
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neither only AM nor RM identify any bidder but RM can open the signature 
on a bid with the help of AM and can identify the bidder. Even if a winner is 
identified in an auction, the winner bidder can participate in the next auction 
maintaining enough anonymity for both RM and AM satisfied. 

The third problem is that it is rather difficult to revoke a bidder since a 
membership certificate is distributed to each bidder indicated in Revocation 
of bidder is necessary when a bidder wants to withdraw from an auction or RM 
wants to revoke a certain bidder. Therefore RM should be able to revoke a bidder 
easily. In our protocol, a revocation of bidder is done easily by using a bulletin 
board: just remove her/him on it. 

1.3 Our Result 

We propose a practical anonymous electronic English auction protocol satis- 
fying the above eleven properties, (a)Anonymity (b)Traceability, (c)No fram- 
ing, (d)Unforgeability, (e)Fairness, (f)Verifiability, (g)Unlikability among differ- 
ent auctions, (h)Linkability in an auction, (i)Efliciency of bidding, (j)One-time 
registration, and (k)Easy revocation. Our protocol satisfies both (a) and (b) si- 
multaneously by using a combination of both the signature of the knowledge 
and two kinds of bulletin boards. In particular, the computation amount of both 
bidding and verifying each bid is fairly reduced by introducing a bulletin board. 
In our protocol, there are two managers RM and AM. RM manages the corre- 
spondence of bidder identity to public key, and can identify a winner or a faulty 
bidder with the help of AM. When a certain bidder is identified after a winner 
decision procedure or later disputes, AM has only to request RM to identify the 
bidder. 

Notable features of our scheme are as follows: 

— both of bidding and verification of bids are done quite efficiently by intro- 
ducing a bulletin board. 

— Any bidder can participate in plural auctions by only one-time registration. 
Even if a bidder is identified as a winner, she/he can participate in the next 
auction without repeating registration, maintaining anonymity for RM, AM, 
and any bidder. 

— RM can easily revoke a bidder. 

— Even if both RM and AM collude, they cannot impersonate any bidder. 

The remaining of this paper is organized as follows. Section 2 summarizes 
a basic scheme US! using group signature. Section 3 describes our protocol in 
detail. Section 4 considers fairness. Section 5 investigates the properties of our 
scheme. 

2 Related Work 

Here we summarize a previous English auction scheme |[S! which uses an idea of 
group signature. 
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2.1 Group Signature 

The concept of group signature was introduced by Chaum and van Heyst |B| . 
Group signature allows any member to sign on behalf of a group and keeps the 
member identity secret. The workjZj is the first efficient group signature schemes 
in that the size of both group’s public key and of signatures are independent of 
the number of group members and that a group’s public key remains unchanged 
if a new member is added to a group. Later, group signature schemes with 
improved performance and better flexibility are proposed in 0 El El [I] • [IHj is 
based on these group signatures [3 IS El E| • 

In an English auction, GM works as AM and a group member corresponds 
to a bidder. When a bidder places a bid, she/he generates a group signature on 
a bid. The validity of signature can be verified easily by any participant using a 
group public key, but any participant does not know who places the bid. 

2.2 Previous Scheme 

Setup: AM computes an RSA modulus n, where n is the product of two primes, 
an RSA key pair (e, d), a cyclic group G = (g) of order n over the finite 
held Zp for a prime p, an element a S Z* that is of the order ^(n)/ 4 , 
and an upper bound A on the length of the secret keys: a revocation man- 
ager chooses h £ G with order n, computes ElGamal-encryption key pair 
{p, Yfi{= hP)) e Z„ X G, and sets a constant 1 . The group public key is 
y = (n, e, G, g, a, A, h, Yr). AM’s secret key is d and a revocation manager’s 
secret key is p. 

Registration: Alice randomly generates a secret key x £ { 0 , • • • , 2 ^ — 1 } and 
sends the value y = (mod n) and z = g^ to AM; AM returns v = 
{y + hY (mod n). Note that AM cannot see the value of x. 

Bidding Phase: In order to put a bid m with her signature, she computes the 
following values (di , ^2 , Li , V2 , 1^) : 

- g = g^ and z = g^ for r Gr Z„; 

- d\= Y^gP and d2 = for u £r Z„; 

- Vi = SK[(j, S) : z = g'^ A d2 = Adi = Y^gYim); 

- E2 = ^if[(/ 3):5 = 5“"](Yi); 

- Vs -.= SK[{a) : zY = g‘^‘]{V2) 

The notation of a signature of knowledge (xi, ■ ■ ■ ,Xk) on a message m is as 
follows: 

SK[{xi, ■ ■ ■ ,Xk) ■■ zi = /i(xi, ■ ■ ■ ,Xk) A ■ ■ ■ A Zi = fe{xi,- ■ ■ ,Xk)]{m). 

The secrets xi, • • • , satisfy all i statements: zi = /i(xi, • • • , Xk), ■ ■ ■, Zi = 
fe{xi, ■ ■ ■ ,Xk)- Assume that computing the discrete logarithm, the double 
discrete logarithms and the e-th root of the discrete logarithm is infeasible. 
The concrete algorithm for these signatures is referred to Alice’s group 
signature consists of a set of (di, ^2, Ei, V2, V3). If the signature (Ei, V2, E3) is 
valid, anyone confirms that (di, d2) is an encryption of z by using ElGamal 
encryption function with a revocation manager’s public key Er, and that 
Alice knows her secret key x and her membership certificate v. 



226 



Kazumasa Omote and Atsuko Miyaji 



Winner Decision Phase: A revocation manager decrypts {di,d2) using his 
secret key p and identifies a member Alice from z since he knows the corre- 
spondence of z to member’s identity. 

In this scheme, the signature V3 is slightly modified using a verifiable group 

signature sharing scheme in order to satisfy anonymity of bidder. 

2.3 Undesirable Properties of the Scheme 

In this scheme, there exist some problems as follows. 

Efficiency: In applying a group signature to an electronic auction, it is neces- 
sary to generate or verify a signature on each bid. A signature generation or 
verification corresponds to bidding or verification of bids respectively, both 
of which are required in each bidding. However the computation amount for 
both signature generation and verification is rather large. Therefore it is not 
realistic to apply directly a group signature to an electronic auction, which 
requires a real-time operation. 

Revocation of Bidder: In an Electronic auction, a revocation of bidder is 
frequently conducted when a bidder wants to withdraw from an auction or 
AM wants to revoke a certain bidder. So revocation-procedure should not be 
complicated. However, in the previous scheme, it is rather difficult to revoke 
a bidder since a membership certificate has been distributed to each bidder 
indicated in |2|. Of course, a bidder does not want to publish her/his secret 
key in revocation procedure. A revocation manager has to keep her/his z in 
a black list to revoke a certain bidder. Therefore a revocation manager can 
discover the unacceptable signature generated by a revoked bidder. 

3 Our Protocol 

In this section, we propose a practical electronic English auction. 

3.1 Entities 

The entities of our scheme consist of the registration manager (RM), the auction 

manager(AM) and a bidder(,B), where each role of AM or RM is slightly different 

from that of previous scheme. The role of each entity is as follows: 

- RM: 

• guarantees the correspondence of a bidder to bidder’s registration key. 

• works like Identity Escrow Agency and identifies a certain bidder when 
AM requests. 

- AM: 

• sponsors several auctions. 

• controls the number of a bidder’s bidding in an auction. 

- Bidder(6): 

• participates in an auction that AM holds. 



A Practical English Auction with One-Time Registration 227 

3.2 Notations 

Notations are defined as follows: 

p, q : two large primes {q\p — 1) 
g : an element g € Zp with order q 
I : the number of bidders 
i : the index of bidders {i = 1, • • • , /) 

Bi : bidder i 

Xi : a secret key of Bi {xi Zq) 

Pi : a public key of Bi {pi = g^') (Note that a public key is used as a 
registration key, and does not reveal bidder’s identity.) 

Xi : AM’s random number for Bi {xi €r Zq) 
ti : a random number of Bi {U €r Zq) 

Ti : an auction key for Bi 
k : the index of auctions (fc > 1) 

Yam ■■ AM’s public key {Yam = 9^, P Zq) 

Exic : Enc{kep , data) is a secret key encryption function by using a secret 
key, kep, (Note that a cipher text is uniquely determined.) 

Enc^ : Enc^ {kep, data) is j-times encryption by using the same kep, 
Enc{kep, Enc{kep, ■ ■ •)). 

3.3 Procedure 

Initialization: RM publishes p, q and g. AM computes a pair of public key and 
secret key, {Yam, p) using g and publishes Yam- 

Bidder Registration: A bidder Alice {Bj) registers her registration key in the 
following steps: 

1. Alice chooses her secret key Xj and computes her registration key pj = 
g^^ (mod p); 

2. She chooses a random number tj, named ticket. She uses her ticket in order 
to find her auction key Tj on AM’s bulletin board. Note that she can also find 

her auction key Tj without using her ticket by checking that = {g^^)^^~, 

3. She sends {pj,tj} to RM as her registration key, registers her identity and 
proves that she knows the discrete logarithm Xj of pj to the base g by showing 
Vi, 

Vi = SK[{a) : pj = g°‘]{mR), 

where xur is a message published by RM; 

4. When RM accepts that Alice knows the discrete logarithm, he publishes her 
registration key {pj,tj} on his bulletin board, while RM keeps her name 
secretly(Figure 1). 

Although Alice’s name is not published at RM’s bulletin board, she can easily 
confirm whether there exists her registration key on that board or not. Here a 
registration key works also as a pseudonym. We assume that RM cannot make 
up a secret key of a certain bidder. 
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Bulletin Board 




Fig. 1. Bulletin Board 



AM’s Setup: When a vendor requests AM to hold an auction, AM conducts 
the following procedure. For simplicity, here a bidder Bi participates in the fc-th 
auction. 

1. AM computes a shared secret key j/f with each bidder Bi (t/f = by 

using Diffie-Hellman key-distribution P). 

2. AM generates the random numbers {ri, • • • , r/} Zq for each bidder pub- 
lished on RM’s bulletin board and keeps the numbers {ri, • • • , r/} secret. 

3. AM encrypts ti to Enc'^{y^ ,ti) = Enc{y'^ , Enc’^~^ {y^ ,ti)) in the fc-time Enc 
by using a shared key j/f . 

4. AM computes the following auction key Ti for Bi using Bi's public key yi on 
RM’s bulletin board: 

T, = {Enc\yP,U), y/% /O- 

5. AM publishes the shuffled auction key Ti of all bidders on his bulletin board. 
AM’s setup has the following properties: 

(A) Nobody except for AM can know the correspondence of yi to Ti since t/i is 
concealed to y[‘ in Ti and shuffled by AM; 

(B) AM cannot identify a bidder since he does not know the correspondence of 
Bi’s identity to yi. 



Bidding: Alice who wants to participate in the fc-th auction can easily find her 
bidding key Tj in {Ti, • • • ,T/} published by AM because she knows the value 
Enc^{yj,tj) in advance by using y^ = Alice generates the signature of 

knowledge V 2 using both and y’’-' in Tj. 

When she places a bid, she sends the following bid information {mj , yj’' , , 

V 2 ) to AM. 
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— a bid rrij {rrij = auction /Z?||bid value) 

— yj^ and (published by AM) 

— V2 = SK[a : 

Here V2 implies that Bj knows the value of a = Xj if V2 is valid signature. 
Furthermore both j/J-* and also work as a kind of certificate. 

Verifiability: We assume that AM checks the validity of the signature V2 on 
each bid. Of course, anybody can check the validity. If the signature V2 is invalid 
signature, AM removes the bid with V2 

Checking the validity of the signature of knowledge V2 , anybody can confirm 
that a bidder knows surely her/his secret key. Furthermore anybody can accept 
that the signer is one of the bidders if the values yj^^ and in V2 are published 
on AM’s bulletin board. 

Winner Decision: Let Alice’s bid mj be a winning bid. AM proves to RM 
that the public information yj'"^ added to a winning bid rrij corresponds to the 
registration key yj by sending RM the value rj^ . Note that only RM can identify 
Alice as a winner for the first time, and that AM cannot identify a winner Alice 
in this winner decision. 

Winner Announcement: Only the entity RM knows the winner’s identity 
after the winner decision procedure. This means that all participants including 
AM cannot identify a winner but can confirm the validity of a winner. If RM 
informs a vendor of winner’s identity after the winner decision procedure, nobody 
except for RM can identify a winner. Therefore anonymity of a winner is satisfied 
without changing her/his registration key managed by RM. 

Generally, there is a problem of bidder collusion to form a ring. However, 
in our protocol, even if a winner Alice offers her values of bid, any bidder can- 
not identify her at the next auction, because AM changes rj at every auction. 
Unlikability among different auctions holds in our protocol. 

4 Fairness of Bidder 

Fairness of bidder in an electronic auction means that any bid is fairly accepted 
by AM. Generally, in an electronic English auction, fairness of bidder depends 
on AM. There are two unfairness acts by AM: 

1 . AM repudiates any higher bids than a certain value. 

2 . AM repudiates any bidding by a certain bidder. 

In order to satisfy the fairness of above I, a bidder has to conceal a bid value for 
AM. As for the above 2 , a bidder has to place a bid anonymously. Our protocol 
keeps the fairness of case 2 since bidding is done anonymously but is vulnerable 
to the case 1 since any value on bids is revealed. In order to avoid the case 2 , we 
may use non-repudiation protocol r 2 t>) . 
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4.1 Outline of Non-repudiation Protocol 

The non-repudiation protocol is that Alice sends a message to Bob and then 
Bob cannot repudiate a receipt of the message from Alice. We summarize the 
basic procedure. 

1. Alice encrypts a message m into C and sends it to Bob. 

2. He sends his signature SsobiC) back to her after receiving C. 

3. She sends the decryption key AT of C to him after receiving SsobiC). 

Note that if Bob repudiates K after the deadline, she deposits K in TTP (Alice 
cannot know whether Bob repudiates K or the network between Alice and Bob 
is broken down) . TTP publishes K using public directory service as soon as TTP 
receives it. Bob cannot deny receiving a message m if the network between Bob 
and TTP is not permanently broken down. 

4.2 Bidding Procedure with Non-repudiation 

Fairness of bidder is realized by introducing an idea of non-repudiation protocol 
as above. Non-repudiation protocol is added to a bidding procedure of our pro- 
tocol. Alice and Bob correspond to a bidder Bi and AM, respectively. RM also 
plays a role of TTP. In our protocol, both RM and AM use a public bulletin 
board. A bid m is placed as follows: 

1. AM cannot know each bid value since the bid information is encrypted by a 
bidder. 

2. AM publishes BiS signature Ssi{C) in AM’s bulletin board instead of re- 
turning it since AM does not know who is Bi. 

3. Even if AM repudiates a receipt of decryption key K from a bidder, he 
cannot deny getting bid information since RM publishes K in his bulletin 
board. 

5 Consideration 

5.1 Features 

We discuss the following eleven properties in our protocol. 

(a) Anonymity: nobody including either RM or AM can identify a bidder from 
her/his signature on a bid. Furthermore AM cannot identify a bidder though 
RM can identify a bidder with the help of AM. More importantly any bidder 
can anonymously participate in another auction by using the same registra- 
tion key even if she/he has been identified once. 

(b) Traceability: RM can open a signature on a bid with the help of AM and 
can identify the bidder. So a winner cannot deny that she/he has submitted 
the winning bid after the winner decision procedure. 

(c) No framing: this will be discussed in chapter 5.2. 
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(d) Unforgeability: nobody can forge a bid with a signature since anybody 
cannot generate a valid signature using the registration key in AM’s bulletin 
board. 

(e) Fairness: our scheme has fairness of bidder if it applies non-repudiation 
protocol to bidding. Otherwise AM may decide on which bids to accept. 
However AM’s misbehavior turn out by a bulletin board. A bidder can point 
out that AM does not accept her/his bid. Furthermore AM cannot identify a 
bidder from bids. Therefore such a dishonest act may not have an influence 
on electronic auction. 

(f) Verifiability: anybody can verify the signature V 2 on a bid. Furthermore 
anybody can confirm whether a bidder is valid or not by checking her/his 
registration key in AM’s bulletin board. 

(g) Unlikability among different auctions: each bidding key generated by 
AM is different among each auction since AM’s secret information ri, which 
is different in every auction, is embedded in y/* and g’’* with a bid. So nobody 
except for AM can link two signatures among different auctions. Although 
AM can link all bids of Bj in all auctions, AM cannot get an identity of Bj 
except for collusion with RM. 

(h) Linkability in an auction: a real auction has a linkability in an auction. 
An auction becomes active by a certain aggressive bidder who always places 
a higher bid. Anybody knows how many times a bidder places bids in an 
auction from the signature since a bidder uses both y/* and as a part of 
bidding information in an auction. 

(i) Efficiency of bidding: this will be discussed in chapter 5.3. 

(j) One-time registration: any bidder can take part in plural auctions as a 
valid bidder in one-time registration of registration key, maintaining ano- 
nymity for RM, AM, and any bidder. 

(k) Easy revocation: this will be discussed in chapter 5.4. 

5.2 No Framing 

Here we discuss the security against framing attacks such that an entity imper- 
sonates another valid bidder. 



Security against Collusion of RM and AM: Even if both RM and AM 
are colluded, they cannot impersonate a bidder in the following reason. In our 
protocol, in order to impersonate a bidder, RM and AM must show that they 
know the bidder’s secret key Xi, which is the discrete logarithm of a part of the 
bidding key in AM’s bulletin board. However only a bidder Bi knows Xi, so they 
cannot impersonate a bidder. 



Security against RM, AM, Other Bidders, and Outsiders: In the same 
reason as the above, RM, AM, other bidders and outsiders cannot also imper- 
sonate another valid bidder. 
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Table 1. Performance for a bidder 





^Modular multiplications (1024-bit) 


Communication amount (kbit) 


Registration 


Bidding 


Verihcation 


Registration 


Bidding 


m 


1,500 


218,600 


206,700 


1.3 


7.6 


Our scheme 


480 


240 (560)i 


320 (560) 


1.3 


2.4 



5.3 Performance 

In this section, we compare our scheme with the previous scheme |TS] in section 
2 from the viewpoints of computation and communication amount for a bid- 
der, which are shown in Table 2. For simplicity we estimate the computation 
amount by the number of 1024-bit modular multiplication and let the system 
parameters be e = 3, |n| = \p\ = 1024, |q| = A = 160, \H\ = 160 and a security 
parameter i = 64 [Zj. From table 2, we see that the computation amount for a 
bidder is much reduced compared with the previous scheme. In particular, it 
is the most important to reduce the modular multiplication amount of bidding 
and verification, because both are conducted many times in an auction. The 
computation amount in our scheme is dramatically reduced by introducing two 
kinds of bulletin boards and an auction key. AM has only to check whether the 
signature V 2 is valid or not and whether there exists an auction key is in his 
bulletin board or not when a bidder places a bid. In this way the computation 
amount of both bidding and verification are reduced. Therefore our scheme can 
practically realize an electronic auction. 

5.4 Easy Revocation 

In an Electronic auction, a revocation of bidder can be frequently conducted 
when a bidder wants to withdraw from an auction or RM wants to revoke a 
certain bidder. Therefore it should be simple and easy. Furthermore the bidding 
history is kept secret if a bidder is revoked. In the previous scheme, it is rather 
difficult to revoke a bidder since a membership certificate is distributed to each 
bidder. In our protocol, it is easy to revoke a bidder: RM has only to delete a 
bidder from RM’s bulletin board. Note that AM requests RM to revoke a certain 
bidder informing her/his information(e.g. the value r^) or that a bidder requests 
RM to revoke herself/himself. 

6 Conclusion 

We have proposed a practical electronic auction which satisfies (a)Anonymity, 
(b) Traceability, (c)No framing, (d)Unforgeability, (e)Fairness, (f) Verifiability, 
(g)Unlikability among different auctions, (h)Linkability in an auction, (i)Effi- 
ciency of bidding, (j)One-time registration, and (k)Easy revocation. Five notable 
features are: 



1 



This value in brackets shows the case that fairness of bidder is realized. 
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(1) both of bidding and verification of bids are done quite efficiently by intro- 
ducing a bulletin board, 

(2) anonymity for RM, AM and any participant can be realized to plural auc- 
tions by only one-time registration, 

(3) RM can easily revoke a bidder, 

(4) nobody can impersonate any bidder, and 

(5) Fairness of bidder can be realized. 
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Abstract. The rapid growth of wireless systems provides us with mobil- 
ity. In mobile environments, authentication of a user and confidentiality 
of his identity and location are two major security issues, which seem 
incompatible with each other. In this manuscript, we propose a user au- 
thentication scheme with identity and location privacy. This scheme is 
an interactive protocol based on public key cryptosystems. In the pro- 
posed scheme, to prove his anthenticity, a user utilizes a digital signature 
scheme based on a problem with a random self-reducible relation such 
as the square root modulo a composite number problem and the dis- 
crete logarithm problem. We also define the security requirements for 
user authentication with identity and location privacy, impersonation- 
freeness and anonymity, against active attacks, and prove that the pro- 
posed scheme satisfies them assnming the security of the cryptographic 
schemes used in the scheme. Furthermore, we show that we can constrnct 
anthenticated key agreement schemes by applying the proposed scheme 
to some existing authenticated key agreement schemes. 



1 Introduction 

The rapid growth of wireless systems provides us with mobility. In mobile envi- 
ronments, the service area of a service provider is divided into domains, each of 
which is covered by a network operator. Each user moves around the domains 
and gets some services through the network operator of the visiting domain. 
In such a situation, user authentication is necessary for accounting. It is also 
necessary to ensure the identity and location privacy, that is, users’ identity and 
location information should not be disclosed to unauthorized entities. However, 
these two requirements seem incompatible with each other. 

In this manuscript, we present a solution to this problem, user authentication 
with identity and location privacy (ILP), in a public key setting. We assume that 
user authentication is achieved with a challenge-and-response scheme based on 
a digital signature scheme. 

Suppose that a user uses the same public key and proves his authenticity to 
different network operators. In this case, the location privacy is not provided. 
These network operators are able to track the user by colluding with each other, 
even if the user uses some pseudonym and hides his real ID. To avoid the tracking, 
the user has to generate and use his temporary public key whenever he proves 
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his authenticity. We present an efficient scheme which achieves this goal. As is 
in the typical situation, it is assumed that the service provider keeps the public 
keys of its users. Each of the corresponding secret keys is known only to the 
user. We call these public/secret keys original public/secret keys of the user. 

To prove his authenticity to the network operator he is visiting, each user uti- 
lizes a digital signature scheme based on a problem with a random self-reducible 
relation such as the square root modulo a composite number problem or the 
discrete logarithm problem. Thus, the proposed scheme can be constructed with 
practical digital signature schemes such as the ElGamal scheme 0, the Fiat- 
Shamir scheme |^, the Schnorr scheme nn, the Pointcheval-Stern scheme m 
and so on. 

When a user proves his authenticity, he computes a pair of temporal public 
and secret keys from his original key pair and a random seed by utilizing the 
random self-reducibility of the problem the digital signature scheme is based on. 
The user signs for the challenge from the network operator he is visiting and 
the temporal public key by using the temporal secret key. The user’s ID and the 
random seed are sent to his service provider through the network operator after 
being encrypted so as to be recovered only by his service provider. The validity 
of the temporal public key is guaranteed by his service provider that is able to 
compute it from the user’s original public key it keeps and the random seed. 

In this manuscript, we also initiate the study of provable security of user au- 
thentication schemes with ILP. We first define two security requirements for user 
authentication with ILP, impersonation-freeness and anonymity, both of which 
are against active attacks. Then we prove that the proposed scheme satisfies 
these requirements assuming the security of the cryptographic schemes, public 
key encryption schemes and digital signature schemes, used in the scheme. 

Furthermore, we show that we can construct authenticated key agreement 
schemes by applying the proposed scheme to existing authenticated key agree- 
ment schemes such as those in nm. As an example, we show an authenti- 
cated key agreement scheme constructed by applying the proposed scheme to 
the station-to-station protocol [3- 

1.1 Related Works 

User authentication schemes have been already incorporated in the specifications 
of cellular phone systems such as GSM and GDPD P] EJ • These schemes, 
however, do not provide anonymity of users. 

Molva, Samfat and Tsudik |B| presented an efficient user authentication 
scheme with anonymity based on KryptoKnight j0| . Their scheme is constructed 
with private key cryptosystems. Thus, their approach is quite different from ours. 
In addition, they focused on user authentication and did not fully discuss the 
anonymity. Their security analysis of the anonymity was quite informal. 

Herzberg, Krawczyk and Tsudik |0| discussed the anonymity problem in mo- 
bile environments. They reviewed the existing approaches and proposed several 
potential solutions based on private key cryptosystems or public key cryptosys- 
tems. As a scheme based on private key cryptosystems, they presented the same 
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scheme as the one in 0. For public key based schemes, they focused on provid- 
ing the framework rather than proposing some concrete schemes. Furthermore, 
their security analysis is also quite informal. 

In PI, for third generation mobile telecommunications systems, several user 
authentication schemes with ILP are proposed. One of the protocols is based 
on public key encryption schemes and uses the service provider on-line. Fur- 
thermore, it is mentioned that the scheme needs a temporary user public key 
encryption transformation. However, no solution is provided for this problem. 

1.2 Organization of This Manuscript 

This manuscript is organized as follows. In Section 2, random self-reducibility, 
which is the basis of the proposed scheme, is reviewed. The proposed user au- 
thentication scheme with ILP is presented in Section 3. As an example, the 
proposed scheme constructed with the Schnorr scheme is presented in the same 
section. In Section 4, two security requirements for user authentication with ILP, 
impersonation- freeness and anonymity, are defined and it is proved that the pro- 
posed scheme satisfies these requirements. Efficiency of the proposed scheme is 
also discussed in this section. In Section 5, it is shown that authenticated key 
agreement protocols can be constructed by applying the proposed scheme to 
existing authenticated key agreement schemes. 

2 Random Self-Reduciblity 

In this section, random self-reducibility, on which the proposed scheme is based, 
is reviewed m- 

Let Af be a countable infinite set. For any N G Af, let An, Bn he finite sets 
and Rn C An x Bn be a relation. 

dom(i?jv) = {a G An \ (a, b) G Rn for some b G Bn} is called the domain of 

def 

Rn, and i?Ar(a) = {6 | (a, b) G Rn} is called the image of a G An- 

Let R be the relation {{{N,a),b) \ N GAf and (a, 6) G Rn}- R is called a 
random self-reducible relation, if there exists an algorithm Mi for R, which has 
the following properties: 

Ml is an algorithm which outputs a' G dom(i?iv) which satisfies the following 
conditions on input N G Af, a G An, r G {0, 1}* in steps. 

— If each bit of r is selected randomly, uniformly and independently, then a' is 
uniformly distributed over dom(i? 7 v)- 

— There exists an algorithm Mi which outputs some b G Rn{cl) on input 

N G Af, a G An, f, b' G RN{a') in steps, where r is a finite prefix of 

r used by Mi(AI, a, r). 

— There exists an algorithm M 2 which outputs some b' G on input -/V, 

a, r, b G RN{a) in steps. Furthermore, if each bit of r is selected 

randomly, uniformly and independently, then b' is uniformly distributed over 
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For example, the square root modulo a composite number problem, the dis- 
cete logarithm problem and the graph isomorphism problem are the problems 
with random self-reducible relations. A random self-reducible relation of the dis- 
crete logarithm problem is as follows. 

For a positive integer k, let = {0, 1, 2, . . . , fc — 1} and = {x\x € Z^, 
gcd(cc, k) = 1}. Let Af ={{p, g)\p is prime, g GZi* and g is a primitive element}, 
and R{p,g) = I {a,b) € Z* x Zp_i,a = g’’ modp}. Since g is a primitive 

element, dom(i?(pg)) = Z*. For any a G dom(i?(pg)) and r G Zp_i, let a' = 
ag^ mod p. Then, if r is randomly selected, then a' is uniformly distributed over 
dom(i?(p g)). Furthermore, since b' = b + r mod p — 1, b or b' is easily obtained 
from r and b' or r and b, respectively. 

In this manuscript, we present a user authentication scheme which utilizes 
a digital signature scheme based on a problem with a random self-reducible 
relation. For this kind of digital signature scheme with a random self-reducible 
relation R = {{{N, a),b) \ N G AA and (a, b) G Rjvj, iV is a public key shared by 
all users, a is a public key of a user and & is a secret key corresponding to a. 



3 The Proposed Scheme 

3.1 Overview 

In this section, we present an overview of the proposed user authentication 
scheme with ILP, which is based on public key cryptosystems. 

We assume that there exists a service provider and that its service area is 
divided into domains. We also assume that each domain is covered by a network 
operator. A network operator checks the authenticity of a user who makes a 
request in the domain it covers. 

Each user has his own pair of a public key and a secret key, which is used 
for proving his authenticity. We call the public/secret keys of a user the original 
public/secret keys of the user. The service provider maintains the original public 
key of each user. Notice that the original secret key of a user is known only to 
the user. 

The proposed scheme enables a user to prove his authenticity to the network 
operator he is visiting without disclosing his ID and location with the aid of the 
service provider. The user proves his authenticity with a challenge-and-response 
protocol based on a digital signature scheme. 

When a user proves his authenticity, he computes a pair of temporal public 
and secret keys from his original key pair and a random seed by utilizing the 
random self-reducibility of the problem the digital signature scheme is based on. 
The user signs for the challenge from the network operator he is visiting and 
the temporal public key by using the temporal secret key. The user’s ID and the 
random seed are sent to the service provider through the network operator after 
being encrypted so as to be recovered only by the service provider. The validity 
of the temporal public key is guaranteed by the service provider who is able to 
compute it from the user’s original public key it keeps and the random seed. 




A User Authentication Scheme with Identity and Location Privacy 239 



3.2 Description of the Scheme 

Before describing the proposed scheme in detail, we introduce some notations. 

Let U be a user, SP be the service provider and NO be a network operator 
U is visiting. Let I\j,Isp,Ino be the ID’s of U, SP and NO, respectively. ID’s 
are assumed to be binary strings. 

Let Sig be a signing algorithm used by the users to prove their authenticity. 
The subscript of Sig is the key used when signing. The digital signature scheme 
with this signing algorithm is assumed to be based on some problem with random 
self-reducibility. For this scheme, let be a public key shared by all users and 
let a, b be the original public key and the original secret key of U, respectively. 
For N, a, b, let Mi be an algorithm which outputs a temporal public key on input 
N,a and a random seed r, and M 2 be an algorithm which outputs a temporal 
secret key on input a, b and a random seed r. These algorithms are publicly 
available. 

Let Egp be an encryption algorithm of some public key encryption scheme. 
The decryption key corresponding to Egp is kept secret only by SP. Let S'sp, 5'no 
be signing algorithms of SP and NO, respectively. It is not necessary for Esp, 
Ssp, 5'no to be based on the problems with random self-reducibility. 

The proposed user authentication scheme with ILP: 

1. U randomly selects r and a, and sends c, Isp, a to NO, where c = Esp{I\j,r). 
He also computes a temporal public key atmp = Mi(AI, a, r) and a temporal 
secret key &tmp = M 2 {N,a,b,r). 

2. After receiving c,Isp,a from U, NO sends c , /no to SP. He also randomly 
selects 13, computes 5No(a,/3), and sends (3, Sf^o{a, P) to U. 

3. After receiving c , /no from NO, SP recovers I\j,r from c. If the plaintext 
obtained from c is invalid, then SP terminates the execution. Otherwise, 
he computes the temporal public key of U, atmp = Mi(AI, a,r) and sends 
5sp(c, atmp)? atmp to NO. 

After receiving /3, 5No(<a? P) from NO, U verifies the validity of 5 no(q;? P)- If 
it is invalid, then he terminates the execution. Otherwise, he computes a sig- 
nature of P, atmp with the temporal secret key &tmp and sends Sigbt„,^, {P, atmp) 
to NO. 

4. NO receives 5sp(c, atmp)? atmp from SP and verifies the validity of 
5sp(c, atmp)- If it is invalid, then NO terminates the execution. Otherwise, 
after receiving Sigb^^^{P, atmp) from U, NO verifies its validity with the tem- 
poral public key atmp- NO accepts U if and only if it is valid. 

The above scheme is also shown in Fig. E 

3.3 Example 

The proposed scheme can be constructed with digital signature schemes based 
on problems with random self-reducibility: the ElGamal scheme 0, the Fiat- 
Shamir scheme jSj, the Schnorr scheme H2|? the Pointcheval-Stern scheme m 
and so on. 
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> > > > > 









Fig. 1. The proposed scheme. U is a user and NO is a network operator U is 
visiting. SP is the service provider. 



In the following, we present an example with the Schnorr scheme. Let p and 
q be primes and <7 be a divisor of p — 1. Let g be an element of Z*, whose order 
is q. Let p, q,g be the public keys of the Schnorr scheme shared by all users. Let 
b € Zq he the original secret key of the user U and a = g^ mod p be the original 
public key of U. Let h he a, collision-free hash function. Furthermore, a and /3 
are assumed to be binary strings in {0, l}'^, where n is appropriately determined. 



An example of the proposed scheme constructed with the Schnorr scheme: 

1. U randomly selects r G Zq and a G {0, l}'^, and sends c, Isp, a to NO, where 
c = Esp{I\j, f)- He also computes a temporal public key atmp = a g^ mod p 
and a temporal secret key &tmp = b + r mod q. 

2. After receiving c,Isp,a from U, NO sends c , /no to SP. He also randomly 
selects [3 G {0, 1}'^, computes Sno{c(,(3), and sends P, S^oice, f3) to U. 

3. After receiving c , /no from NO, SP recovers I\j,r from c. If the plaintext 
obtained from c is invalid, then SP terminates the execution. Otherwise, he 
computes U’s temporal public key atmp = cl g'" mod p and sends 5'sp(c, Otmp), 
atmp to NO. 

After receiving /3, S'No(a, /3) from NO, U verifies the validity of Spio{a,P). 
If it is invalid, then he terminates the execution. Otherwise, he computes a 
signature of /3, atmp with the temporal secret key 6tmp- That is, he randomly 
selects X G Zq and computes y = g^ modp, e = /3, atmp), and w = 

X — e 6tmp mod q. Then U sends e, w to NO. 

4. NO receives 5'sp(c, atmp), atmp from SP and verifies the validity of 
*S'sp(c, atmp)- If it is invalid, then he terminates the execution. Otherwise, af- 
ter receiving e, w, he verifies its validity. That is, he computes z= (/“'a^mp mod 
p and checks whether e = /i(z, /3, atmp) or not. NO accepts U if and only if 
it is valid. 
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4 Discussions 

4.1 Security 

In this section, we discuss the security of the proposed user authentication 
scheme with ILP. We first define two security requirements, impersonation- 
freeness and anonymity, and then prove that the proposed scheme satisfies these 
requirements. 

In the proposed scheme, the service provider should be trusted because it 
guarantees the validity of temporal public keys of the users. A dishonest ser- 
vice provider is able to impersonate any user by randomly selecting a temporal 
secret key, generating the corresponding temporal public key and stating that 
the temporal public key is a valid key for the user. Thus, the service provider is 
assumed honest. 

Let ^ be the security parameter. Let U,0 he the set of the users and the set 
of the network operators, respectively. Both of \U\ and \0\ are assumed to be 
bounded by some polynomial of £. 

We consider the security against active attacks. A malicious adversary A is 
a probabilistic algorithm and is assumed to operate in two successive phases: 
the observation phase and the trial phase. In the observation phase, A can fully 
control the network. A can arbitrarily select U’s in U and NO’s in O, and make 
them execute the protocol with SP. A can modify, replay or not deliver the 
messages exchanged during the executions of the protocol. Furthermore, A can 
corrupt U’s and NO’s. A can obtain the secret keys of corrupted U’s and NO’s 
and also control them arbitrarily. On the other hand, A cannot corrupt SP. A 
cannot obtain the secret keys of SP: the decryption key for Egp nor the signing 
key for S'sp. A cannot control SP, neither. 

We define the security requirements, impersonation-freeness and anonymity, 
against the active adversary A. 

impersonation-freeness. A user authentication scheme with ILP is impersonation- 
free if no polynomially bounded adversary A succeeds with non-negligible prob- 
ability in impersonating an uncorrupted user in the observation phase. 

A’s behavior in the observation phase is described as above. At the end of 
the observation phase, A selects a network operator NO. 

In the trial phase, A executes the protocol with NO and SP, and tries to 
impersonate some user. Notice that A may not determine the user he tries to 
impersonate. 

anonymity. To define anonymity, we consider the most advantageous scenario 
for an adversary. A’s behavior in the observation phase is described as above. At 
the end of the observation phase, the adversary A selects two users Uq,Ui and 
a network operator NO. Uq,Ui and NO may be corrupted in the observation 
phase. 

In the trial phase, the user Uj G {Uq, Ui}, who is randomly selected, executes 
the protocol with NO and SP. We assume that A does not know which one of 
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Uo,Ui is selected. We also assume that Uo,Ui are not corrupted and that NO 
is corrupted. After the execution of this protocol, A outputs the value of i that 
he guesses. 

An user authentication scheme with ILP satisfies anonymity if 
I Pr[A’s guess is correct] — 1/2| is negligible. 

In the definition of impersonation-freeness, impersonation of a network op- 
erator NO is not mentioned. If the signature scheme of NO, S'no is existentially 
unforgeable against the adaptive chosen-message attack, then it is impossible to 
impersonate NO. 

The definition of anonymity implies the anonymity against passive eaves- 
droppers though it describes the anonymity against network operators. 



Impersonation- Freeness. First, we make an assumption on the unforgeability 
of the digital signature scheme of the users. 

Assumption 1. For the digital signature scheme of the users, there exists a 
probabilistic polynomial time algorithm which computes the secret key with 
non-negligible probability by using an algorithm which can forge a signature 
with the adaptive chosen-message attack as an oracle. 

This assumption holds for the digital signature schemes such as the Schnorr 
scheme m and the Pointcheval-Stern scheme cni. 

Theorem 1. Suppose that the digital signature scheme of the service provider 
SP is existentially unforgeable against the adaptive chosen-message attack. If 
there exists an adversary A who succeeds in impersonation with non-negligible 
probability, then there exists a probabilistic polynomial time algorithm which is 
able to compute the original secret key of some user with non-negligible proba- 
bility in cooperation with SP by using A as an oracle. 

Proof. In the observation phase, an adversary A can make the adaptive chosen- 
message attack on the digital signature scheme of the users and that of SP. At 
the end of the observation phase, suppose that A selected a network operator 
NO. 

In the trial phase, A executes the protocol with NO and SP, and tries imper- 
sonation. 

Since the digital signature scheme of SP is assumed to be existentially un- 
forgeable against the adaptive chosen message attack, we do not consider the 
attack such that A generates a temporal key pair (atmp,^tmp) in some way, 
forges 5'sp(c, Otmp)) and succeeds in impersonation with &tmp- 

During the execution of the protocol with NO and SP, A first sends c, Isp,ct 
to NO. 

Notice that A does not necessarily know the plaintext corresponding to c nor 
may there exist no valid plaintext corresponding to c. NO then sends c, /no to 
SP. 
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If SP recovers a valid plaintext for some IJ £ U, then he computes 

the temporal public key of U, Otmp = a,r) and sends S'sp(c, atmp)) Otmp 

to NO. 

If A succeeds in impersonation with non-negligible probability, then he suc- 
ceeds in forging signatures for random challenges from NO with non-negligible 
probability. ^From Assumption Q there exists a probabilistic polynomial time 
algorithm Alg which can compute the temporal secret key 6tmp corresponding to 
Otmp by using A as an oracle. Thus, Alg can compute the original secret key of 
U in cooperation with SP from N, a, r, 6tmp- □ 

This theorem implies that, for example, the proposed scheme constructed 
with the Schnorr scheme is impersonation- free if users’ public keys are selected 
so that it is intractable to compute the corresponding secret keys. 

Anonymity. To prove anonymity of the proposed scheme, we only consider a 
random self-reducible relation R = {{{N, a),b) \ N £ N and (a, b) £ Rn} which 
satisfies the following conditions: 

— For any N £ Af, r is selected from a finite set Qn, and the random sampling 
from Qm is feasible. 

— There exists an algorithm which outputs r £ Qm on input N £ Af, a £ A^, 

b £ i?Af(a), a' £ A^, b' — M 2 {N, a, 6, r) £ RN(a') in | steps. 

These conditions are not restrictive. For example, the random self-reducible rela- 
tion of the discrete logarithm problem presented in Section 2 satisfies them. It is 
easy to show that the digital signature schemes such as the ElGamal scheme, the 
Fiat-Shamir scheme, the Schnorr scheme and the Pointcheval-Stern scheme can 
be constructed based on the problems with random self-reducibility satisfying 
the conditions. 

We further assume that an adversary A is able to obtain the temporal secret 
key 6tmp that the user uses during the execution in the trial phase. 

Theorem 2. If the public key encryption scheme of the service provider SP sat- 
isfies the indistinguishability of encryptions against the adaptive chosen-cipher- 
text attack, then the proposed scheme satisfies the anonymity. 

Proof. In the observation phase, since an adversary A can fully control the net- 
work, he can apply the adaptive chosen-ciphertext attack on the public key 
encryption scheme of SP. 

Suppose that an adversary A has chosen two users Uo,Ui at the end of the 
observation phase, whose original secret keys, bo,b\, are known to A. Further- 
more, in the trial phase, suppose that A obtained 6tmp, which is used by the user 
to compute Sigb^^^{P,atmp) during the execution of the protocol. Then, from 
the conditions on the random self-reducibility described above, A can compute 
Vi from N, ai,bi, atmp, ^tmp for i = 0,1, and the plaintext of the ciphertext c is 
(-fuoi^o) or (/ui,ri). Since Asp satisfies the indistinguishability of encryptions 
against the adaptive chosen-ciphertext attack, A’s advantage of guessing i over 
random selection is negligible. □ 
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4.2 Efficiency 

In 1^ , for third generation mobile telecommunications systems, an authentication 
scheme with ILP based on public key cryptography is shown which uses the 
service provider on-line. In this section, the proposed scheme is compared with 
the above scheme in terms of the efficiency, and the advantage of the proposed 
scheme is made clear. In the following the scheme in P] is called the 3GS3 
scheme. 

The communication overhead of the proposed scheme is lower than that of 
the 3GS3 scheme, while the number of the passes of the proposed scheme is 
equal to that of the 3GS3 scheme. In the proposed scheme, the network operator 
NO communicates on-line with the service provider SP in order to receive a 
temporal public key of U and its certificate. However, NO can send a challenge 
/3 to U without waiting for the response from SP. On the other hand, in the 
3GS3 scheme, NO can send a challenge to U only after receiving the response 
from SP. 

As is mentioned in Introduction, it is observed in 0 that the 3GS3 scheme 
needs a temporary user public key encryption transformation. For this problem, 
the proposed scheme provides a solution based on the random self-reducibility, 
which can also be applied to the 3GS3 scheme. The solution is more advantageous 
than the naive solution in that a user need not prove to the service provider 
that he really generates the temporal public key atmp that he sends. The naive 
solution possibly requires the user to prove to the service provider that he really 
knows the corresponding temporal secret key. On the other hand, the proposed 
solution guarantees that the one who knows the secret key of Otmp = Mi(iV, a, r) 
is the one who knows both the random seed r and the secret key of the public 
key a. 

5 Extension 

In this section, we show that we can construct an authenticated key agree- 
ment protocol by applying the proposed scheme to an existing authenticated 
key agreement scheme. The constructed key agreement protocol also provides 
the ILP. With this key agreement protocol, a user can share a common secret 
session-key with the network operator without the aid of the service provider, 
that is, the shared session-key is known only to the user and the network operator 
he is visiting, not known to the service provider. 

To construct an authenticated key agreement protocol, we can apply the 
proposed scheme to some of the existing protocols, such as those in 0 EJ. As 
an example, we show the application of the proposed scheme to the station-to- 
station (STS) protcol |2|. In the following description, let {■)k be a ciphertext 
obtained by encrypting the plaintext in ( ) with the secret key K and some 
symmetric key encryption function. 

An authenticated key agreement scheme constructed by applying the proposed 
scheme to the STS protocol: 
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1. U randomly selects k\j G Zq, computes uu = mod p and sends c, mu, Isp 

to NO, where c = Esp{I\],r). He also computes the temporal public key 
Otmp = a,r) and the corresponding temporal secret key 6tmp = 

M 2 (N,a,b,r). 

2. NO receives c, muj-^SP from U and sends c , /no to SP. He also randomly 
selects /no G computes uno = mod p and the session- key K = 
yyfcNo niod p, and sends unOj 5'no((wuj 'WN o)ic) to U. 

3. After receiving c , /no from NO, SP recovers Ijj,r from c. If the plaintext 
obtained from c is invalid, then he terminates the execution. Otherwise, 
he computes the temporal public key of U, atmp = Mi(AI, a, r), and sends 
*^sp (c, ntmp) j ^tmp to NO. 

After receiving unO; *S'no((wU: uj^o)k) from NO, U computes the session-key 
K = uno^^ mod p and verifies the validity of the signature S'no((wU; u-^o)k)- 
If it is invalid, then he terminates the execution. Otherwise, he signs for 
(mnO; ■uu)/f 1 Otmp with his temporal secret key 6tmp and sends 
'S'*ff&tmp((^^NO,Mu)iC,atrnp) to NO. 

4. NO receives S'sp(c, atmp), Otmp from SP and verifies the validity of the sig- 
nature. If it is invalid, then he terminates the execution. Otherwise, after 
receiving 5'zpf,t„p((wNO, 'au)^, Otmp) from U, he verifies the validity of the 
signature with the temporal public key atmp- NO accepts U if and only if it 
is valid. 

In the above protocol, (mno, u-[j)k is used as a challenge from NO to U. The 
above protocol is also shown in Fig. El In this figure, the interactions between 
NO and SP are omitted because they are same as those of the proposed scheme. 



u 




NO 


/u £r {0, 1, . . . , g — 1} 
uu = mod p 

random r 
c = Fsp(/u,r) 

atmp = Ml (A, a,r) 


C, MU,/SP 


/no £r {0, 1, . . . , g — 1} 


fetmp = M 2 (A, a,6, r) 




UNO = mod p 


K = mod p 


UNO, 5no((uu, Uno)k) 

•S' *56tmp ( (wno , Uu ) if , atmp ) 


K = mod p 



Fig. 2. An authenticated key agreement scheme constructed by applying the 
proposed scheme to the STS protocol. The interactions between NO and SP is 
omitted, which are same as those of the proposed protocol. 
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6 Conclusion 

In this manuscript, we have proposed a user authentication scheme with ILP. 

We have also discussed the provable security and the efficiency of the proposed 

scheme. Furthermore, we have shown that we can construct authenticated key 

agreement schemes by applying the proposed scheme to some of the existing 

authenticated key agreement schemes. 
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Abstract. Mobile commerce is becoming more and more commonplace, 
but security is still a major concern. To provide security, the WAP (Wire- 
less Application Protocol) forum suggests the WAP security architecture. 
However, it needs the WAP gateway for intermediate process between the 
WTLS (Wireless Transport Layer Security) and the SSL (Secure Socket 
Layer) protocol, and it does not guarantee end-to-end security between 
the mobile devices and the WAP servers. In this paper, we propose a 
new authentication protocol to solve this problem. Our solution is based 
on the design of a new network component that is called CRL-agent. 
Furthermore, we also analyze and evaluate the security strength of the 
proposed protocol. 



1 Introduction 

Recently, the new customers and services have been developing due to the rapid 
growth of the wireless Internet market. Operators and manufacturers established 
the WAP forum, which defines a set of protocols in transport, security, transac- 
tion, session and application layers to meet the challenges of the advanced, dis- 
tinguished, fast and flexible services. The WAP forum has developed the WTLS 
layer for secure communication in the WAP environment. The primary goal 
of the WTLS is to provide privacy, data integrity and authentication between 
communicating applications. The WTLS provides functions similar to SSL 3.0 
and incorporates new features such as datagram service, optimized handshake 
and dynamic key refreshing. The WTLS is optimized for low-bandwidth bearer 
networks with a relatively long latency P,|2|. 

Presently, the serious security problem in the WAP is caused by not the 
WTLS in itself but importing WAP gateway. Since the WTLS is not compatible 
to the SSL protocol used on the web, the WAP gateway must decrypt the received 
data from the WAP client and re-encrypt the data to transfer to the WAP server. 
Existence of the WAP gateway at the network has the advantage that a content 
provider does not need a new software to overcome differences between wire and 
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wireless networks. However, the drawback is that we have no real end-to-end 
security between the WAP client and the WAP server. 

In this paper, we design a new authentication protocol that can provide 
several security services such as a WAP client’s user authentication, session key 
establishment, dynamic key refresh and end-to-end security between a WAP 
client and a WAP server in the WAP environment. 

The rest of this paper is organized as follows. In Section 2, we show the 
architecture of WAP and shortcomings of it. Moreover, we present necessity of 
designing a new protocol. In Section 3, we introduce the whole operating rule of 
the proposed protocol and a new network component that is called CRL-agent. 
In Section 4, we introduce notations and the proposed protocol. In Section 5, we 
evaluate the proposed protocol from the security point. Finally, we present some 
tips that can be used to embody the proposed protocol and make conclusions in 
Section 6. 



2 The Security Architecture for WAP and Its 
Shortcomings 

2.1 The Security Architecture for WAP 

The WTLS that is provided by the WAP forum is composed of four subprotocols. 
The Handshake Protocol, Alert Protocol and Change Cipher Spec Protocol are 
used for managing the operation of the WTLS, and the Record Protocol provides 
actual security services. For connecting a secure session between the WAP client 
and the WAP server through the WTLS, the Handshake Protocol is processed 
in advance to allow peers to agree upon security parameters such as a session 
key, a peer certificate, compression method, master secret and a key refresh to 
be performed. The negotiated security parameters are used to provide security 
services in the Record Protocol0,|^. 




Fig. 1. The security architecture in WAP environment 
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The Security architecture for WAP is shown in Fig.^J The WTLS is used for 
secure services in wireless environment between the WAP client and the WAP 
gateway, and SSL is used for secure services in wire environment between the 
WAP gateway and the WAP server. 

2.2 The Shortcomings of Security Architecture for WAP 

The security architecture for WAP based on WTLS/SSL has the following several 
shortcomings. 

— It does not provide end-to-end security between the WAP client and the 
WAP server. That is, the WAP gateway decrypts the data that is received 
from the WAP client and re-encrypts it for wire Internet. Finally, plaintext 
is exposed in the WAP gateway. 

— For a secure session, several public certificates based on X.509 v3 are used. 
Furthermore, the verification of a received certificate needs to query and 
verify the CRTs (Certificate Revocation Lists). This traffic leads to extrav- 
agant resources of the WAP client that has only low-processing power and 
memory. Even if the WAP forum recommends short-lived certificate to the 
verification of certificate, it is not a clear solution[5j. 

— The security vulnerability of the WTLS has been publishing 0, jS|, 0,0 ■ 

— The authentication based on public certificate only supports the legality 
of the communicating entity. Therefore, it does not sufficiently present the 
authorization information of the communicating entity 0. 

In this paper, we propose a security protocol that can be applicable in the 
WAE (Wireless Application Environment) layer of the WAP protocol stack. 
Since it operates in the different layer with the WTLS/SSL, it can be appli- 
cable together with them. The proposed protocol in this paper which is called 
E2ESP (End-to-End shared Security Protocol) resolves the shortcomings of the 
original WAP security architecture and supports basic access control based on 
the identity of the WAP client’s user. 

In this paper, we assume that the WAP gateway is located at the subnetwork 
of the network operator. At present, the input equipment of a mobile phone is 
very inferior and network operators do their best to support more useful and 
interesting WAP portal that has power to collect subscribers. Therefore, most 
users search the linked sites of the WAP portal that is provided by the WAP 
gateway and it is few for users to search the unlinked-sites by typing directly 
the URL0. Hence, E2ESP focuses on the usual wireless Internet services based 
on the WAP portal. However, E2ESP can be operated in a situation where a 
special company has its own WAP gateway and needs to do access control for 
the internal users that connect from the outside. 

3 CRL-Agent Assumptions 

When a user starts the service of a wireless Internet, the home page of the WAP 
browser for the WAP client is established as the WAP portal. If the WAP servers 
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that are linked from the WAP portal are the sites that need the security such as 
on-line banking, stock services and m-commerce, these sites have already agreed 
with network operator for the support of E2ESP. Fig. |3 shows the architecture 
of E2ESP. 




Network Operator 



Fig. 2. The architecture of E2ESP 



When a user does not want to use E2ESP for communication with a linked 
WAP server or tries to communicate with an un-linked WAP server, a session 
between the WAP client and the WAP server can be made securely by the 
WTLS/SSL. However, when a WAP client uses E2ESP for a secure session with 
a WAP server, it is not surely necessary to use the WTLS/SSL for a secure 
session. 

We assume that the CRL-agent is located in the subnetwork of network 
operator and it is a secure system. The main function of the CRL-agent is to 
investigate the present state of public certificates for public-keys that are used 
in E2ESP. The present state of the public certificate means that it is one of 
the following three states; ’’applicable”, ’’revoked” or ’’updated”. We consider 
the traffic overhead of the CRL-agent and restrict that only several specific 
negotiated CAs (Certificate Authorities) with network operator can issue public 
certificates for E2ESP. The CRL-agent periodically investigates CRLs to ensure 
the state of the WAP servers and the public keys of the WAP servers. When 
a WAP client makes a request to the WAP portal page to the WAP gateway, 
the WAP gateway makes a request to the public key state information that is 
related to the WAP client. Then, the CRL-agent gives a response of the public 
key state information to the WAP gateway. The WAP gateway that received the 
response sends the WAP portal page and the public key state information to 
WAP client. 
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When the CRL-agent sends the public key state information to the WAP 
gateway, it does not perform any translation for privacy. Moreover, the public 
key of the WAP client for communicating with the CRL-agent has been already 
known to the CRL-agent and the CRL-agent can periodically investigate the 
state of the public certificate of the WAP client for E2ESP. If the public key of 
the WAP client is revoked, CRL-agent can make a request for a new certificate 
URL to the WAP client. More detail procedures are introduced in [5|. 

In this paper, we assume that the WAP client trusts network operator as the 
following point of view. 

— The WAP client trusts that the CRL-agent is a secure system. That is, the 
WAP client trusts that the public key of the CRL-agent is safe and already 
knows the public key of the CRL-agent from the initial establishment. How- 
ever, it can query the CRLs to verify the public certificate for the CRL-agent. 

— The WAP client can verify the received information that is signed by the 
CRL-agent. 

4 End-to-End Authentication Protocol in WAP 

4.1 Notations 

In this section, we introduce some notations as follows. 

— Ci : The identity of i-th WAP client, for 1 < * < n. 

— Sj : The identity of j-th WAP server, for 1 < j < m. It may be linked to 
WAP portal pages. 

— CRLA : The identity of the CRL-agent. 

— Uij : The identity of i-th WAP client’s user at j-th WAP server. For example, 
the user’s account name in the WAP server. 

— PUx ■ A public key of communication entity X. 

— PRx '■ A private key of communication entity X. 

— Hash{m) : A one-way hash value of message m. 

— Ppassj : A public password that is a hash value for the public key of j-th 
WAP server. 

PpasSj = Hash{PUsj) 

— Upassij : A user defined weak password that corresponds to user’s account 
U^j- 

— rx : A random challenge of communication entity X. The main function of 
this is both response and timeness. In initialization step for E2ESP, it can 
be replaced with time-stamp value. 

— refresh : It defines how often session keys are updated. A new session key 
is calculated at every 

n = 

message, i.e. the sequence number of new session key is 0,n,2n, 3n etc re- 
spectively. 
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— Kris : It is a list that includes all kind of refresh periods which an WAP 
server can support and is called key refresh list. 

— Svls : It is a list that includes the identities of the WAP servers whose 
certificates are revoked and is called server list. 

— Info : It is a notification message that the identity of an WAP server is 
deleted from certificate query lists for a specific WAP client. 

— seqnum : The sequence number of transmitted message. 

— ZZij : A shared secret value that is derived from key agreement between 
i-th WAP client and j-th WAP server through E2ESP. 

— SKij : A session key that is used for a secure session between i-th WAP client 
and j-th WAP server and is derived from ZZij and the other parameters. 

— EA{m) : Message m is encrypted with key A. 

— DA{m) : Message m is decrypted with key A. 

— SIGA{m) : Message m is signed with key A. 



4.2 Initialization for E2ESP 

After establishing a session between the WAP client and the WAP gateway 
(optionally through WTLS), the process that the WAP client receives the WAP 
portal page is shown in Fig. 01 The detailed procedures are given as follows; 



Message 1 : [WAP client WAP gateway] 
WAP portal request, Ci, SIGpji^ (Ci,rc^) 
Message 2 : [WAP gateway ^ CRL-agent] 

Ci, SIGpp^fCi, vq.) 

Message 3 : [CRL-agent ^ WAP gateway] 
CRLA, SIGpp^^^^iSvls, CRLA, Q, 
Message 4 : [WAP gateway ^ WAP client] 
WAP portal pages, 

CRLA, SIGpp^^^^iSvls, CRLA, Cp rc,) 



Fig. 3. Initialization for E2ESP 



Message 1 WAP portal request, Ct, SIGpr^. (Ci, rcj 

i-th WAP client Ci requests the WAP portal page to the WAP gateway. 
Message 2 Ci,SI G pr^. {Ci , rc ^ ) 

The WAP gateway requests the public key state information of WAP servers 
for Ci to the CRL-agent before sending the WAP portal pages to Ci. 
Message 3 CRLA, SIGpp^^j^^{Svls,CRLA,Ci,rCi) 

The CRL-agent has a database that is called certificate query lists. This 
database defines which WAP servers’ certificates are necessary to be verified 
for each WAP client. 



An End-to-End Authentication Protocol in Wireless Application Protocol 



253 



The CRL-agent receives message 2, and detects the required public key state 
information for the WAP servers which are included in the certificate query 
lists for Ci and makes server list. Then, the CRL-agent sends message 3 to 
the WAP gateway. 

Message 4 WAP portal pages, CRLA, SIGpr^^^^{SvIs, CRLA, Ci, rci) 

After receiving message 3, the WAP gateway sends message 4 to Then, 
Ci verifies the signed part of message 4 by the public key of the CRL- 
agent. Finally, Ci displays the WAP portal pages in the WAP browser and 
recognizes whether each WAP server’s public key is revoked or not. 

If the public certificate of j-th WAP server Sj to be accessed by i-th WAP 
client Ci is revoked or updated, Ci must update the public password for Sj or 
delete the identity of Sj from certificate query lists. We will refer to the public 
password at section 4.3 in more detail. The detailed procedures are shown in 
Fig. 0 and given as follows; 



Message 1 : [WAP client => WAP gateway] 

Ci, SIGpji^XSj,Ci, re-) 

Message 2 : [WAP gateway ^ CRL-agent] 

C„SICpR^iS,,C„rc.) 

Message 3-1 : [CRL-agent ^ WAP gateway] 
CRLA, SIGpR^^^^iCRLA, Sj, Cj,PUs^, rc,) 
Message 3-2 : [CRL-agent ^ WAP gateway] 
CRLA, SIGpp^^^^iCRLA, Sj, Cj,Info, rc,) 
Message 4-1 : [WAP gateway ^ WAP client] 
CRLA, SIGpp^^^^iCRLA, S,, C,,PUs^, rc,) 
Message 4-2 : [WAP gateway ^ WAP client] 
CRLA, SIGpp^^^^(CRLA, Sj, Cj,Info, rc,) 



Fig. 4. Updating public password for WAP server 



Message 1 Ci, SI Gpr^. {Sj , Ci , rc , ) 

Message 1 has two meanings according to different circumstances. If the 
identity of Sj is not included in the certificate query lists inside the CRL- 
agent for requesting Ci, it means that Ci wants to add Sj into the certificate 
query lists. If the identity of Sj is included in the server list of message 4 of 
the former initialization step, it means that Ci wants to receive the updated 
public key of Sj or delete the Sj from the certificate query lists. 

Message 2 Ci, SI Gpr^. {Sj , Ci , rc^ ) 

The WAP gateway only forwards the received message from Ci to the CRL- 
agent. 

Message 3-1 CRLA, SIGrr^^^^ {CRLA, Sj , C, , PUs, , rc, ) 
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Message 3-2 CRLA,SIGpR^^^j^{CRLA,Sj,Cj,Info,rCi) 

After receiving message 2, the CRL-agent performs the following steps. 

— If the received Sj is included in the certificate query lists for (7i, 

• In the case of update of 5j’s public certificate for E2ESP, the CRL- 
agent sends the message 3-1 that includes a new public key for Sj to 
the WAP gateway. 

• In the case of revocation of Sj^s public certificate for E2ESP, the 
CRL-agent deletes Sj from the certificate query lists for Ci and 
makes a notification message Info that is added into message 3-2. 
The CRL-agent sends message 3-2 to the WAP gateway. 

— If the currently received Sj has linked site with the WAP portal pages 
and is not included in the certificate query lists for Ci, the CRL-agent 
adds the received Sj to certificate query lists for Ci and sends message 
3-1 that includes a new public key for Sj to the WAP gateway. 
Message 4-1 CRLA, SICpr^j,^^{CRLA, Sj,Cj, PUs^,rc^) 

Message 4-2 CRLA, SICpp^j^^j^{CRLA, Sj,Cj,Info,rCi) 

The WAP gateway only forwards message 3-1 or message 3-2 to Ci . Ci 
received message 4-1 or 4-2 performs one of the following two steps according 
to circumstances. 

— If Ci receives message 4-1, Ci hashes the received public key of Sj and 
allows the user to use it as a public password. 

— If Ci receives message 4-2, E2ESP for communicating with Sj will be 
inactive. However, it is independent of the existing WTLS/SSL protocol. 



4.3 E2ESP 

When the WAP client’s user receives the WAP portal pages and public key 
state information from WAP gateway, the user can start the login process and 
key agreement for E2ESP based on the user-defined password. E2ESP adopts 
the EKE (Encrypted Key Exchange) method based on Difhe-Hellman key agree- 
ment ^01 > ■ The WAP client’s user and the WAP server agree on a large 

prime p and g, such that g is primitive mod p. These two integers do not have to 
be secret; the WAP client and WAP server can agree to them over some insecure 
channel. The user has a hash value for the public key of the WAP server as a 
public password. The user does not even need to type such a digest, but just 
recognize it when it is displayed. The WAP server has a user-defined password 
as 

Vij = gHash{Upass,j Wo . SP 1 < * < 1 < j < m. 

The value Vij will allow the WAP server later to get or store the password 
itself; this way we can limit the damage if the WAP server is corrupted or the 
database is leaked. Vij is stored together with the WAP client’s identity in the 
WAP server’s user database. 

The procedure of the WAP client’s user who wants to login to the WAP server 
is given in Fig. EJ In this paper, we omit the mod p calculation for convenience. 
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Message 1 : [WAP client ^ WAP server] 
User login request 

Message 2 : [WAP server => WAP client] 

rSj,PUs-,g^,g^' ,Krls 

Message 3 : [WAP client ^ WAP server] 

EpUgiPij^ Sj,g'^, refresh, EsKiji.rs-)),rCi 



Fig. 5. A secure session establishment over E2ESP 



Message 1 User login request 

Message 1 may be sent by i-th WAP client’s user to j-th WAP server at 
any time. This message just means that Uij can negotiate several security 
parameters such as ZZij, SKij and refresh and Uij wants to login to Sj. 
In message 1, it does not include user’s identity Uij but the identity of i-th 
WAP client Ci. 

Message 2 rSj,PUsj,g'^ ,g"^' ,Krls 

Sj that has received message 1 chooses two random big integers x and x' , 
and computes and g^ for key agreement with Ci. Of course, x and x' are 
secure information for Sj. Then, Sj generates rg^ as a random challenge and 
makes a key refresh list. Finally, Sj conhgures message 2 and sends it to Ci. 
Message 3 Epus.(U,j,Sj,gy ,refresh,EsKij(rs,i)),rCi 

Ci that has received message 2 compares the public password Ppassj with 
the hashed value of PU$j ■ The implementation technique of this comparison 
will be handled at Section 6 in more detail. If two values do not agree, Ci may 
request the CRL-agent to give the public key state information for Sj . If the 
two values agree, Ci requests the user to input his identity Uij and password 
Upassij, chooses an appropriate refresh from the received key refresh list. 
Then, Ci chooses a random big integer y and generates g"^ which is secure 
information for Ci. 

Ci generates a shared secret ZZij and a session key SKij for a secure session 
with Sj in the following way. 

ZZ,j = Hash{{g^y, (^g^')Hash(UpasSipUij,Si)-^ 

SKij = Hash{ZZij,rs,j , rci, seqnum) 

Finally, Ci generates message 3 and sends it to Sj. 

Now, Sj receives message 3, and decrypts it by its own private key PRsj 
and becomes to know the user’s identity Uij and g^. Sj generates a shared 
secret and a session key in the following way. 



ZZ,,- = Hash{{g-)y, 

SKij = Hash{ZZij,rs,j , rCi, seqnum) 
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As a result, Sj can decrypt an encrypted part of message 3 by the SKij and 
compares rs^ with the received one. If two values agree, Sj knows that the 
generated session key and the Uij are correct. 

The first seqnum value is 0 and this value is updated every message exchange 
between Ci and Sj. While updating SKij according to refresh, the above 
procedures for generation of session key SKij must be recomputed where 
only seqnum is changed. 

5 Security Evaluation of E2ESP 

In this section, we evaluate the security of E2ESP through some attack scenarios. 

— When the attacker compromises Vij and masquerades j-th WAP server Sj. 

• The attacker generates disguised r*g.,x*,x'* and sends 

r%.,PUs„g^\g^'\Krls 

to i-th WAP client Ci. Then, Ci receives the above messages, and com- 
putes a shared secret 

ZZfj = 

and a session key SK*^ correspondent to ZZ*y Finally, Ci sends 

^PC/s,- (U,j , Sj , gy, refresh, Esk*. {r*Sj)), rCi 

to the attacker. In this situation, the attacker must know PRsj to com- 
promise Uij or SKij. That is, attacker must decrypt message that is 
encrypted by PUsj. 

• If the attacker uses its own public key to make a response for the user 
login request of Ci, he may send 

rl,PUl,g^\g^'\Krls 

as response to Ci . Since the verification process of the public password 
is performed, this attack would fail. However, when g^ is exposed by 
accident, the attacker could make a session key successfully. 

— When the attacker eavesdrops on the inner traffic of the WAP gateway and 
masquerades Uij. 

This active attack is possible when an attacker knows Upassij and Uij. If the 
attacker who masquerades Uij randomly generates rf.^,gy , U*j and Upass*j 
and computes a shared secret 

and a session key. 



SK*j = Hash{ZZh , rsj , rf,. , seqnum) 
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He chooses a masqueraded refresh* and sends 

Epusj {U*j,Sj,gy* , re fresh*, Esk^. {rsj)),rc, 

to Sj , then Sj tries to decrypt the received message and finds and 
its related information Upass*^ in the system. If Sj cannot find the correct 
U*j and Upass*j, it terminates the present session. However, if Sj can find a 
correct U*j and Upass*j by accident, the secure session is established between 
the attacker and Sj, where the attacker has come to understand the identity 
of user and user-defined password. 

The second possible attack can be protected by the following two methods. 

— Sj which has already sent message 2 in Fig. 5 closes the session after wait- 
ing for a defined time interval. Since the transmitted rsj,g^,g^ values are 
changed every time, it is impossible for an attacker inside the WAP gateway 
to perform an off-line password guessing attack. Moreover, Sj can give a time 
delay for establishing a session to a user who had already failed to login Sj 
several times, hence, it can be protected on-line password guessing attack. 

— Since the input mechanism of the WAP client is so simple, it is a basically 
weak situation against a dictionary attack. However, since the identity of user 
and user-defined password are not sent in plaintext over the insecure channel, 
it is difficult for an attacker to perform on-line and off-line password guessing 
attacks, and to know the identity of the user and user-defined password. 
Therefore, these attacks can be efficiently protected in E2ESP. 

6 Implementation Techniques of E2ESP &: Conclusion 

For example, the following situation can be considered. ” When does the WAP 
client request the CRL-agent to manage the updated or revoked WAP servers’ 
public certificate after receiving the public key state information from WAP 
gateway ?” There are two possible ways to implement this. The first one is that 
the WAP client requests updating process of public password to the CRL-agent 
right after receiving the WAP portal pages and server list. The second one is that 
the WAP client requests updating process of public password to the CRL-agent 
right before trying to connect with the WAP server that has revoked the public 
certificate. 

For a user to be able to read, recognize, and type the public password, it is 
advisable to have a user-readable format for these passwords. A representation 
which maps arbitrary binary strings into easy-to-read words was introduced in 
the context of one-time passwords in detail^BI- When the WAP client receives 
the WAP server’s public key (message 2 in E2ESP), it displays a verification 
screen of the public key to user, as given in Fig.|3 

In Fig. El one of number 1, 2, 3, 4 is a correct password. The user must choose 
the number corresponding to the correct public password. That is, if the public 
password is ’’limb mont bloc gone rage pit”, the user may choose ”1”. The others 
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^ sign On 

«Choose public password> 

1 limb mont bloc gone rag( 

2 eddy weak half goon net 

3 srt mont fire grad rear 

4 hone ton ton len twe van 


A Sign On 

Enter User ID ; 

[ tempid ] 


ft Sign On 

Enter User Password : 


Select 


OK 


OK 



Fig. 6. Example of user interface to input public password, user ID and user- 
defined password 



from 2 to 4 are randomly selected words in the word dictionary of the S/Key 
system by the WAP client. The next step of verifying the public password is 
that the user must input his identity and user-defined password. Fig. 0 shows 
this process. After ending all of the above steps, the WAP client sends message 
3 of Fig. 0 to the WAP server. The above mentioned implementation is a typical 
example, so the various alternatives are possible if we consider user’s convenience. 

In this paper, we propose a new security protocol that serves as an end-to- 
end security between the WAP client and the WAP server in WAP environment . 
Since E2ESP adopts the EKE method for a user to login to the WAP server, 
the user’s identity is not exposed over the insecure channel. Moreover, E2ESP 
supports that the WAP server can successfully do basic access control based on 
the user’s identity and key agreement. E2ESP can operate securely alone and 
more securely together with the WTLS/SSL. 
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Abstract. Detecting errors in a raw key and authenticating a private 
key are crucial for quantum key distribution schemes. Our aim is to pro- 
pose practical methods for error detection and authentication in quantum 
key distribution schemes. We introduce several concepts about neigh- 
borhood collision free properties of Boolean functions, which are closely 
related to hash functions, and propose methods based on neighborhood 
collision free functions and error correcting codes such as Reed-Solomon 
code. We also examine whether or not widely used cryptographic hash 
functions SHA-1 and MD5 satisfy the neighborhood collision free prop- 
erty by computation experiments. 



1 Introduction 

Quantum key distribution schemes have been introduced and studied in detail 
up to date (e.g. E, 0, 0). Under an ideal circumstance like an experiment in a 
laboratory without any physical interferences, quantum key distribution schemes 
enjoy the unconditional security. Since an eavesdropper Eve’s unlawful access to 
the quantum channel causes disturbance of bit patterns of photons sent by Alice 
due to the Heisenberg uncertainty principle, Alice and Bob can detect Eve’s 
intervention by estimating error rate after the data transmission through the 
quantum channel. Error estimation can be carried out by discussion through the 
classical channel. Physical errors inevitably occur in data transmission through 
the quantum channel under realistic circumstances. Eve may want to obtain only 
small amount of information concerning the private key shared by Alice and Bob. 
Then Eve’s best strategy is to wiretap the quantum channel only small fraction 
of the total data transmission, and deceive Alice and Bob as if the resulting 
disturbance is caused by the physical defects of the quantum channel and other 
peripherals. By the attack. Eve may be able to obtain partial information on the 
private key shared by Alice and Bob. Under such a scenario, bits, where errors 
may have happened, are more suspicious of Eve’s intervention than the other bits 
and should be dumped to prevent Eve from gaining any partial information. The 
following are essential to attain the virtually unconditional security. The first is 
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to lower the error rate in the data transmission through the quantum channel. 
This depends on improvements of physical devices such as optical fibers, single 
photon source generators, avalanche-photo-diode detectors and so on. The error 
rate depends on the distance of the quantum data transmission: the longer the 
channel gets, the higher the error rate rises. See [ini, HEI for recent experimental 
results. The second is to efficiently detect (and correct) errors in the raw keys, 
remove the leaked information and confirm the integrity of the private key agreed 
by Alice and Bob. Our aim in this paper is to propose practical methods forward 
the second goal. 

We briefly explain the general scheme of a quantum key distribution (see 
Chapter 2 of ^ for more detail). First, Alice generates a (sufficiently long) 
random bit string and sends photon pulses according to the random bit string 
through the quantum channel, where the basis and the polarization are randomly 
determined. Bob also generates a random bit string and measures the photon 
pulses with the basis determined according to his random bit string. Then Alice 
and Bob obtain bit strings, called raw keys, respectively. We should note that 
Bob’s raw key is totally different from Alice’ raw key because Bob does not 
know Alice’s choice of bases and cannot get to know the bits in Alice’s raw 
key unless he chooses the same basis. Checking their choice of bases through 
the classical channel, they estimate errors existing in Bob’s raw key and then 
obtain sifted keys (this process is called sifting). The error rate is supposed 
to be kept under a previously fixed value, which is determined by the quality 
of the physical devices, unless Eve intervened. If Eve wiretapped substantial 
amount of data transmission from Alice to Bob through the quantum channel. 
Eve’s intervention can be detected in this stage because Alice and Bob will find 
the error rate is larger than the previously fixed value. Eve’s best strategy to 
eavesdrop is to wiretap only small fraction of the total data transmission through 
the quantum channel. It follows that the leaked information to Eve is at most 
the physical error rate. 

Second, errors must be removed or corrected. After the error correction pro- 
cess, Alice and Bob possess an identical key called reeonciled key. Note that Eve 
might have partial information on the reconciled key because Eve could eaves- 
drop the communication through the quantum and the classical channel even 
though the potentially leaked information is almost negligible. 

Third, Eve’s information is reduced substantially using privacy amplification 
that is the method to lower Eve’s information exponentially by sacrificing bits 
in the reconciled key linearly m, 0, mi)- Privacy amplification can be carried 
out using t-resilient functions 0 (also known as (N,J,K) functions |ZJ). The 
resulting key is called a private key. 

Lastly, Alice and Bob confirm the integrity of their private key and obtain 
an authenticated private key. We illustrate a typical process of key distribution 
in FigJU in a quantum key distribution scheme. 
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Fig. 1. Data Processing in Quantum Key Distribution 



We introduce a concept of a (globally, locally) neighborhood collision free 
function and show that SHA-1 0 and MD5 m enjoy the neighborhood collision 
free property by experiments with computers. We present methods to detect 
errors in the raw keys and to authenticate the private key in a quantum key 
distribution scheme using a neighborhood collision free function. Our methods 
realize the error detection (correction) and authentication procedures in Fig^ 

2 Several Error Correction Methods 

We briefly explain the error correction methods in |3] and jH] in this section. 
Suppose Alice and Bob possess their sifted keys after the sifting process in a 
quantum key distribution scheme. If Alice has a sifted key r, then Bob has a 
sifted key r 0 e, where 0 denotes the bitwise exclusive or, and e represents 
the errors occurred. The Hamming weight of e depends on the physical error 
rate of data transmission through the quantum channel, and the recent physical 
experiments show relatively low error rate for short distance transmission. See, 
for example, HS| and P!- The physical error rate is the fraction of occurrence 
of errors in the total data transmission through the quantum channel. Under 
the most ideal assumption, we have e = 0, and hence, Alice and Bob share the 
identical key, on which Eve has no chance to get any information on it. Although 
physical errors unavoidably occur at some rate under the realistic situation, they 
are very rare. Therefore, the Hamming weight of e is in proportion to the error 
rate and so slightly greater than 0. We may assume that most of bits in e are 
0. To share the identical private key, Alice and Bob need to get rid of the error 
bits. Especially, if they intend to use the key as the secret key for a symmetric 
cipher, it is crucial to share an identical authenticated private key. 

First, we explain the error correction method by Bennett, Bessette, Brassard, 
Salvail and Smolin j^]. Alice divides her sifted key into blocks. Bob also divides 
his sifted key in the same way as Alice does: if Alice has the sifted key r and r is 
divided as r = rir2 • • • r„, then Bob has the sifted key r 0 e and it is divided as 
r 0 e = (ri 0 ei)(r2 0 62) • • • (r„ 0 e„), where e = 6162 • • • represents the error 
bits. Then Alice computes the parity of each block and sends them all to Bob 
through the classical channel. Eve can wiretap the classical channel and is able to 
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obtain the parities of the blocks. The parity of each block is considered as one bit 
information, and so, Alice and Bob take it for granted that one bit information 
is leaked for each block. Bob computes the parities of the corresponding blocks 
of his sifted key and compares them with the parities sent by Alice. If all of them 
coincide, then Alice and Bob probably possess the identical key. Otherwise, some 
of Alice’s block and Bob’s block must be different at least one position. In such 
a case, Alice and Bob divide the block whose parities are different into shorter 
blocks and continue the process until they do not find any different parity. In 
any stage, Alice and Bob delete one bit from each block at the same position 
in order to make the leaked information to Eve meaningless. Repeating the 
process several times, Alice and Bob eventually establish an identical key with 
a high probability. Demerits of this method are following: Alice and Bob are not 
guaranteed to share the identical reconciled key. It wastes numerous bits and 
requires considerable computation. In the process of generating raw keys, Alice 
and Bob cannot theoretically predict the number of necessary bits to establish 
the reconciled key, that is, it is quite hard to theoretically estimate the efficiency 
of the error correction. 

Second, we explain one of the methods in Bennett, Brassard and Robert P|. 
They proposed that Alice sends the hash value of her sifted key through the 
classical channel. Bob computes the hash value of his sifted key as well. Bob 
compares these two hash values. If they are identical, they share the identical 
reconciled key. Otherwise, Bob turns around a few bits in his sifted key, computes 
the hash value of the altered key then and checks whether or not it coincides 
with the hash value of Alice’s sifted key. Bob continues this process until he 
finds the one whose hash value coincides with the hash value of Alice’s sifted 
key. Bob basically carries out the exhaustive search to find positions in his bit 
string, where the errors happen, until he detect the errors. The method is called 
a bit twiddling. The defect of the method is that Bob is required to carry out 
substantial computation, and the hash value transmitted through the classical 
channel gives substantial information to Eve as well. Only under the very re- 
stricted assumption that the error rate is very low and the bit string is short, 
the exhaustive search can be carried out. Otherwise, the task is impossible. It 
is also proposed in Q that Alice encodes her sifted key by an error correcting 
code and sends only the redundancy part of the encoded sifted key. The defect 
of this method is again that the redundancy part of encoded sifted key gives 
substantial information to Eve. This method has several demerits, nevertheless, 
these can be remedied as we will see in Section 4. 

3 Neighborhood Collision Free Functions 

Let H be a Boolean function of Z 2 to Z§. Intuitively, H is neighborhood collision 
free if H maps any two bit strings with a small Hamming distance to bit strings 
with a large Hamming distance. Recall that the Hamming distance of bit strings 
xi and X2 is the number of positions where the entry of x\ is different from that 
of X2 ■ The Hamming weight of a bit string x is the Hamming distance between 
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X and the zero (that is, the string consisting of only 0). This property should be 
satisfied by all (symmetric and asymmetric) encryption functions, although it is 
not sufficient for secure communication. Recall that a Boolean (hash) function 
H is (strongly) collision free if it is hard to find bit strings r± and r2 with r\ ^ r^ 
and H(ri) = H(r2). In other words, H is (strongly) collision free if it is hard to 
find bit strings r\ and ri such that r± 7^ r2 and the Hamming distance between 
H(ri) and H(r2) is 0. This concept is generalized as follows. Let us denote the 
Hamming distance between r and s by d{r, s), where r,s G For t G the 
set {s G 1^2 \ d{s,f) < i} is called the neighborhood around t of radius i and 
denoted by N(t, i). We define several neighborhood collision free properties. Let 
H be a Boolean function of Z 2 to Z 3. 

— H is a globally j-neighborhood collision free function if it is hard to find 
s,t G Z2 such that H(s) e 7V(H(t),j), equivalently H(t) e 7V(H(s),j) (or 
iV(H(s), i) niV(H(t), |) is not empty). 

— H is a locally j-neighborhood eollision free function in i-neighborhood if for 
every u € Z2 it is hard to find s,t G N{u,i) such that H(s) G N(Il{t),j), 
equivalently H(t) G iV(H(s), j) (or A^(H(s), |) n N(H{t), |) is not empty). 

— H is a globally collision free function if it is hard to find s,t G Z2 such that 
H(s)=H(t). 

— H is a locally collision free funetion in i-neighborhood if for every rt G Z2 it 
is hard to find s,t G N{u,i) such that H(s) = H(t). 

These concepts play a vital role in construction of our error detection and 
authentication scheme. The concept of the hardness depends on the context, 
and it may be information theoretic or computational. A globally collision free 
property coincides with a (strongly) collision free property for cryptographic hash 
functions. It is easy to see that a globally j-neighborhood collision free function 
is a locally j-neighborhood collision free function in i-neighborhood, a globally j- 
neighborhood collision free function is a globally collision free function, a globally 
collision free function is a locally collision free function in j-neighborhood and 
a locally j-neighborhood collision free function in i-neighborhood is a locally 
collision free function in i-neighborhood. The converses are not necessarily true. 
See Fig. El for the relationships among the concepts. 



Globally Neighborhood Collision Free Function 




Globally Collision Free Function 




Locally Neighborhood 
Collision Free Function 




Locally Collision Free Function 
Fig. 2. Hierarchy of Collision Free Functions 
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For example, good block ciphers show the strong avalanche effect, and hence, 
they satisfy the globally neighborhood collision free property even under a low 
round. The globally neighborhood collision free property can be considered as a 
generalization of the avalanche effect. We shall show, in Section 5, that SHA-1 
and MD5 satisfy the globally neighborhood collision free property by experi- 
ments by computers. Our experiments show that SHA-1 has the 43-neighborhood 
collision free property, and MD5 has the 34-neighborhood collision free property, 
however, it is difficult to prove theoretically and rigorously that they really do. 

4 Error Detection Using Locally Neighborhood Collision 
Free Functions 

The methods explained in Section 2 waste numerous bits and require consid- 
erable computation such as iterations of random permutations to detect and 
correct errors. Moreover, it is difficult for us to predict the number of necessary 
bits, that is, the length of raw keys, to succeed in establishing an authenticated 
private key in the final stage. It is desired to invent a simple efficient method so 
that we can predict easily and theoretically the number of necessary bits in ad- 
vance. We employ a locally neighborhood collision free function to detect errors 
in the sifted keys. 

Suppose that the physical error rate of the quantum data transmission is 
e > 0. We note that Alice and Bob should operate a random permutation to 
their sifted keys after the sifting process. If they have done so, we can suppose 
the errors are random, that is, the errors are uniformly distributed in Bob’s sifted 
key. If Eve eavesdrops the bits located at specific positions in the private key 
(according to his eavesdropping strategy) and Alice and Bob do not operate a 
random permutation, then the errors are burst, that is, they are distributed non- 
uniformly in Bob’s sifted key. After the error estimation process, Alice and Bob 
have their sifted keys, r and s, where r,s G Z 2 for some integer I, respectively. 
Then r 0 s shows the error bit pattern and its Hamming weight is approximately 
€ X 1. Suppose 0 < e < 1 and 0 < a < 1 are constants such that a is sufficiently 
larger than e. Let H be a locally neighborhood collision free function of Z 2 to 
Z 2 with 9{H,e,a) that is the probability of the event d(H(n), H(r 2 )) < ax k 
when we choose randomly and uniformly a pair (ri,r 2 ) of distinct bit strings 
from Z 2 such that the Hamming distance between ri and r 2 is less than or equal 
to e X /. A Boolean function H is considered locally neighborhood collision free 
if 0{H, e, a) is negligible for some constants e and a such that 0 < e <C a < 1. 

We now explain the basic idea of an error detection method. Suppose that 
H is a locally neighborhood collision free function and 6 = 6{H,e, a) is small. 
This implies that the probability that d(H(r), H(s)) < a x k for r ^ s G Z 2 
with d{r, s) < ex I is negligible. We assume the Hamming weight of r 0 s is less 
than ex 1. Hence, if r s, then H(s) is not in iV(H(r),a x k), equivalently the 
Hamming weight of H(r)0H(s) is bigger than a x fc, by the locally neighborhood 
collision free property of H. If r = s, H(r) = H(s) and so the Hamming weight 
of H(r) 0 H(s) is 0. 
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We now suppose Alice and Bob possess t and t (B e as parts of their sifted 
keys, respectively, where t,e G T, \ and the Hamming weight of e is approximately 
ex fc. Then the Hamming distance between H(r)0t and H(s)0(t0e) is given by 
(H(r)0t)0(H(s)0(t0e)) = (H(r)0H(s))0e. Hence, the Hamming distance is 
approximately e x fc if r = s, otherwise, it is more than a x k. So if we set 
as a threshold. Bob can determine whether or not r = s by checking whether 
the Hamming distance between H(r) 0 t and H(s) 0 (t 0 e) is smaller or bigger 
than ^k. 

We combine this criterion to find the existence of errors and several meth- 
ods to find the exact bit positions where the errors occurred. We discuss several 
methods in the following subsections. The difference among the first three meth- 
ods lies in the consumption of resources (computation, quantum data transmis- 
sion and classical data transmission). This difference indicates the existence of 
a trade-off relation among computation, quantum communication and classical 
communication . 

4.1 Method 1 

Suppose that I is the intended size of a reconciled key. Let H be a locally neigh- 
borhood collision free function of Z2 to Z* such that the probability 9 {H,e,a) 
is negligible and e a. We assume Alice and Bob can make use of H. Note that 
H is not necessarily kept secret, and hence. Eve can also make use of it. Alice 
and Bob first establish 21 + k bit sifted keys in the sifting process. Alice and Bob 
have 21 + k bit binary strings r and r0e as their sifted keys, respectively. Here, e 
represents the errors. The Hamming weight of e is approximately e x |e| = e x /. 
The basic idea is that Alice and Bob sacrifice I + k bits of their sifted keys and 
detect error bits in e without leaking any information to Eve. Then they share 
r and agree that r is their reconciled key. 

Suppose Alice has r as her sifted key and r = rir2rs, where ri,r2 G and 
C3 G Z*. Alice computes the hash value H(ri), then sends ri 0r2 and H(ri) 0rs 
to Bob through the classical channel. Eve can wiretap the classical channel. 
Bob has r 0 e as his sifted key and r 0 e = (ri 0 ei)(r2 0 e2)(r3 0 63), where 
e = 616263 and 61,62 G Z2 and 63 G Z§. Bob, receives ri 0 T2 and H(ri) 0 r^- 
Thus, Bob possesses ri 0 61,62 0 62,63 0 63,61 0 62,H(6i) 0 63. He computes 
the hash value H(6i 0 61). Next he computes (ri 0 62) 0 (62 0 62) = 61 0 62 
and (61 0 62) 0 (61 0 61) = 6i 0 62. The bit string 61 0 62 contains considerable 
information on the bit string 6162. Bob now computes (H(6i) 0 63) 0 (63 0 63) = 
H(6 i) 0 63 and (H(6i) 0 63) 0H(6i 0 61) = H(6i) 0H(ri 0 61) 063. If ei contains 
no 1 , that is, 61 = n 0 61, then we have H(6i) = H(6i 0 ei). In this case, 
H(6 i)0H(6i06i) 063 = 63. Hence, the Hamming weight of H(6i)0H(6i0ei)063 
is smaller than ^^k with a high probability. On the other hand, if 61 contains 
1 , then H(6 i) 0 H(ri 0 ei) 0 63 is larger than ^^k with a high probability. So 
we can decide whether or not ei = 0 by the threshold criterion that Hamming 
weight of H(6 i) 0 H(6i 0 61) 0 63 is bigger than or smaller than 

If 6 = 0, then Alice and Bob established the identical key 61 of size 1 . If 
H(ri) yf H(6 i 0 6i), then Bob guesses ei from the information 61 0 62 (bit 
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twiddling) . Then he computes the hash values of the bit string twiddled from ri0 
ei according to the information ei 0 62 and compares them with H(ri) 0 63. Bob 
can eventually finds e' such that H(ri) = H(ri0ei0e') (strictly speaking, e' such 
that the Hamming distance between H(ri)0e3 and H(ri0ei0e') is smaller than 
Since H is locally neighborhood collision free, it is implausible that he finds 
e' ei and H(ri) = H(ri 0 ei 0 e'). Hence, e' = Ci holds with a high probability 
and Bob can detect all errors occurred in quantum data transmission. Alice and 
Bob can delete or correct these error bits ei = e' and establish a reconciled 
key r[ of the length slightly shorter than I (when the errors are deleted). We 
should note that if Alice and Bob correct (not to delete) and reuse the error bits, 
then they share the reconciled key ri of exactly size 1 . Amplifying privacy, they 
can reduce enemy’s information at their own will. The method is schematically 
illustrated in Fig. Q 
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Fig. 3 . Method 1 



We briefly discuss the security of the method. Eve can only obtain informa- 
tion out of communication through the classical channel under the assumption 
that the process of establishing the shifted key is sound. Thus, Eve can obtain 
only ri 0 r2 and H(ri) 0 r^. By the mechanism of quantum key distribution 
scheme, ri, r2, are mutually independent random bit strings. We can consider 
ri and H(ri) are encrypted by the one-time pad, also known as the Vernam 
encryption P!> sacrificing r2 and , respectively. This implies that Eve can ob- 
tain virtually no information as the one-time pad enjoys the perfect secrecy HS|. 
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However, physical implementation problem leaves room for Eve to obtain small 
amount of information. In the case that Eve wiretapped only small fraction of 
the total data transmission, succeeded in her attack and obtained partial infor- 
mation of the reconciled key r\, the information is estimated at most 2e x I bits. 
This leaked information can be removed by the privacy amplification process. 



4.2 Method 2 

We suppose Bob has strong computation power and then discuss a method to 
reduce the amount of quantum data transmission by demanding Bob substan- 
tial computation as a trade-off. Data transmission through the quantum chan- 
nel costs much more than data transmission through the classical channel and 
computation, and hence, it is reasonable to require Bob to perform substantial 
computation if he has abundant computation resource. As before, H is a lo- 
cally neighborhood collision free function of Z 2 to Z* such that the probability 
0{H, e, a) is negligible and e a. 

Suppose that Alice has rir 2 as her sifted key, where ri G Z 2 and T 2 G Z§, 
whereas Bob has (ri 0 ei)(r 2 0 62 ) as his sifted key, where ei and 62 represent 
the errors. Alice computes the hash value H(ri) and sends H(ri) 0 r 2 to Bob 
through the classical channel. The communication can be considered encrypted 
by the one-time pad. Note that the amount of bits transmitted is the constant 
k. Bob computes H(ri 0 ei) and (H(ri) 0 r 2 ) 0 (r 2 0 62 ) = H(ri) 0 62 - If 
H(n) = H(ri 0 ei), then H(ri 0 Ci) 0 H(ri) 0 62 = 62 and its Hamming weight 
is approximately fc x e. If H(ri) yf H(ri 0 ei), then the Hamming weight of 
H(n 0 ei) 0 H(ri) 0 63 is approximately k x a since H is locally neighborhood 
collision free. Since a is sufficiently larger than e, we can conclude with a high 
probability that H(ri) = H(ri 0 ei) if the Hamming weight of H(ri) 0 62 is 
smaller than ^^k, and H(ri) yf H(n 0 ei) otherwise. If H(ri) yf H(ri 0 ei), 
then Bob twiddles randomly up to e x / bits of ri 0 ei , computes the hash values 
of them and then compares with H(ri) 0 T 2 - Bob can eventually find Ci by the 
exhaustive search, however, Ci has approximately e x I bits of 1 and so Bob 
twiddles only up to about e x I bits of ri 0 Ci. Clearly Bob’s computation task 
depends on the length of r\ and the error rate e. 

Let us discuss the amount of data transmission through the quantum and 
classical channels. In Method 1, Alice and Bob have to generate sifted keys of 
size 2/ 0 fc to generate a reconciled key of length I bits. The amount of the 
quantum data transmission is proportion to 21 + k. The amount of the classical 
data transmission is I + k. In Method 2, on the other hand, the amount of the 
quantum data transmission is proportion to l + k and the amount of the classical 
data transmission is k. 

Another merit in Method 2 is that information potentially leaked to Eve is 
reduced compared with Method 1. The reason is that the total (quantum and 
classical) communication is less than in Method 1. In Method 1, it is estimated 
that Eve may have stolen at most e x {2k + 1), whereas in Method 2, at most 
ex {k + 1). 
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A defect of Method 2 is to require Bob considerable amount of computation. 
If e is small and the length of the established key is small, then Bob’s computation 
can be carried out by a desktop computer. However, if e is large and the key 
length is long, then the computation becomes an impossible task. 

4.3 Method 3 

We give an intermediate between Method 1 and Method 2 . Suppose H is a 
locally neighborhood collision free function of Z2 to such that the probability 
9 {H, e, a) is negligible and e <C a. Alice has rir2r3r4 as her sifted key and 

ri,T2,r3 £ Ij2 and Similarly Bob has (ri 0 ei)(r2 0 e2)(r3 0 e3)(r4 0 

(“) h 

64) as his sifted key, where 64,62,63 £ and 64 £ The string 64626364 
represents the errors. Alice and Bob intend to establish a reconciled key 64 r2. The 
bit string 6462 contains approximately e x I bits of 1 . Alice computes r4 0 r2 0 63 
and H(r4r2)0r4 and sends it to Bob through the classical channel. Bob computes 
{ri 0 r2 0 rs) 0 (rs 0 63) = 64 0 r2 0 63 and (H(r4r2) 0 r4) 0 (r4 0 64) = 
H(r4r2) 0 64. He computes {ri 0 64) 0 (r2 0 62) = 64 0 r2 0 (64 0 62), and 
then (r4 0 r2 0 63) 0 (r4 0 r2 0 (64 0 62)) = 64 0 62 0 63. If 6462 is equal 
to (r4 0 64)(r2 0 62) = (rir2) 0 (6462), then the Hamming distance between 
H(r4r2)064 and H((r4 0 64)(r2 0 62)) is approximately exk. On the other hand, 
if riT2 is not equal to (r4 0 64)(r2 0 62), then the Hamming distance between 
H(r4r2) 0 64 and H((r4 0 64)(r2 0 62)) is more than ax k. Since a is sufficiently 
larger than e. Bob can decide whether or not 6462 = 0 by the threshold criterion 
that the Hamming distance between H(r4r2) 0 64 and H((r4 0 64)(r2 0 62)) is 
bigger or smaller than ^^k. If H(r4r2) = H((r4 0 64)(r2 0 62)), then Alice and 
Bob agree the reconciled key rir2- If H(r4r2) 7^ H((r4 0 64)(r2 0 62)), then Bob 
guesses 6462 using the information 64 0 62 0 63 (bit twiddling). Clearly it is much 
easier to find 6462 than Method 2 , but more difficult than Method 1 . 

For Alice and Bob to establish a reconciled key of length /, rir2 must be of 
length 1 . Note that |r4| = |r2| = jrs] = | and |r4| = k. Hence, Alice and Bob have 
to generate a sifted key of length ^ 0 fc. If we ignore k, they need to generate a 
bit string of length almost y of the reconciled key length whereas sifted keys of 
size 21 and I are required in Method 1 and Method 2 , respectively. 

4.4 Method Using Error Correcting Codes 

We briefly discuss a method using error correcting codes. Suppose H is a lo- 
cally neighborhood collision free function of Z2 to such that the probability 
9 {H,e, a) is negligible and e <C a. To correct the errors in sifted keys of Alice 
and Bob, Alice may want to encode her sifted key by a classical error correcting 
code and transmit only the redundancy part of the encoded sifted key. How- 
ever, the redundancy part gives substantial information of Alice’s sifted key, and 
hence, the redundancy part must be encrypted to prevent Eve from obtaining 
any information. We propose to encrypt the redundancy part by the one-time 
pad. Suppose Alice has 6463 as her sifted key, where ri £ Z2 rs £ Z*, 
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and Bob has (ri 0 ei)(r3 0 63) as his sifted key, where ei S Z2 and 63 G 
Alice computes the redundancy (denoted by C(ri)) of the encoded word of ri 
by the error correcting code C. Bob can detect and correct the error bit string 
ei if he has most correct bits of C(ri) with his sifted key ri 0 ei. Alice sends 
C(ri) 0 r3, and hence, C(ri) is encrypted by the one-time pad and so it gives 
virtually no information to Eve even if she can eavesdrop it. Bob can compute 
(C(ri) 0 r3) 0 (r3 0 63) = C(ri) 0 63. Hence, if the error rate is small enough, 
then Bob can correct the error bits due to the error-correcting ability of C. For 
instance, we can use the Reed-Solomon code HD for our purpose because of its 
capability of correcting random errors. Note that we may assume that errors 
distribute uniformly all over the sifted keys because Alice and Bob operated a 
random permutation to their sifted keys after the sifting process. 

4.5 Authentication 

After generating a reconciled key, Alice and Bob carry out privacy amplification 
and obtain their private key. Next they confirm the integrity of their private 
key. We can employ the same idea to authenticate a private key. We should note 
that the existing methods basically require the previously shared authenticated 
private key, while ours do not. Suppose that after the privacy amplification 
process, Alice has her private key r\ and Bob has his private key r[, where 
r\,r[ G Z2. When making their raw keys, Alice and Bob generate extra sifted 
keys rs and ^3 0 63, respectively, where rs G Z§ and 63 represents the errors. Alice 
sends H(ri)0r3 to Bob. This transmission is considered as encrypted by the one- 
time pad, and hence. Eve obtains virtually no information. Bob checks whether 
or not the Hamming distance between H(ri) 0 and H(ri 0 ei) is smaller than 
the threshold If so, ri = ri 0 ei and Ci = 0 , otherwise, ri n 0 ei. This 

authentication method can be applied after the error correction process. We also 
note that the method can be employed after any error correction and privacy 
amplification method. 

5 Experimental Results 

To implement our error detection method, we need a concrete locally neigh- 
borhood collision free function. We show by experiment with computers that 
SHA -1 II and MD 5 ^ 2 | satisfy the locally neighborhood collision free property. 
If a function H satisfies the locally neighborhood collision free property, then the 
Hamming distance of H(xi) and H(x2) is expected to be relatively large with 
a high probability for any bit strings X\,X2 having a small Hamming distance. 
In our experiments, we choose randomly N = 100 , 000,000 pairs (xi,X2) of bit 
strings having Hamming distance 1 ( 10 , 20 , respectively). Then we count the 
frequency of the Hamming distance of the pair (H(a:i), H(a;2)). If H is a crypto- 
graphic hash function, we easily imagine that H exhibits a normal distribution. 
If the standard deviation is relatively small, that is, most samples yields a Ham- 
ming distance close to the mean value, then we can conclude that it is a good 
neighborhood collision free function. 
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We consider SHA-1 as a function of to ^ 2 ^°, that is, we restrict its 
domain to in our experiments. We expect the mean value to be 80, and 
Hamming distance d(H(a:i), H(x 2 )) is close to 80 for most pairs {x\,X 2 )- Actu- 
ally, our experiments for SHA-1 with 10,000,000 samples of Hamming distance 
1(10,20) show that the mean value is about 80, the standard deviation is 6.3, 
the minimum of d(H(xi), H(a; 2 )) is 44, and the maximum of d(H(xi), H(x 2 )) is 
115. See Table ^for the statistic and Fig. 2| and Fig. 0for the histograms in 
Appendix. Our experiments show that the deviation is small enough. Hence, 
SHA-1 has the good neighborhood collision free property, and hence, most pairs 
of bit strings with Hamming distance 1 are mapped to the strings with Ham- 
ming distance close to 80. For example, we may set a = j. Then the probability 
0(H, a, e) is negligible for any error rate 0 < e < a. In this case, the threshold 

j_i_i 

value is around — ^ x 180. 

We consider MD5 as a function of to Hence, we expect the mean 
value to be 64, and Hamming distance d(H(xi), H(x 2 )) is close to 64 for most 
pairs (xi,X 2 ). Our experiments for MD5 with 10,000,000 samples of Hamming 
distance 1(10, 20) show that the mean value is about 64, the standard deviation is 
5.6, the minimum of d(H(xi), H(x 2 )) is 34, and the maximum of d(H(xi), H(x 2 )) 
is 95. See Tabled for the statistic and Fig. 0 and Fig. EJfor the histograms in 
Appendix. 

Our experiments show that the deviation is small enough. Hence, MD5 has 
the good neighborhood collision free property, and hence, most pairs of bit strings 
with Hamming distance 1 are mapped to the strings with Hamming distance 
close to 64. For example, we may set a = j. Then the probability 0(H,a,e) is 
negligible for any error rate 0 < e < a. In this case, the threshold value is around 
^ X 128. 
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Appendix: Statistic and Histogram 



Table 1. Statistic of Experiments on SHA-1 and MD5 



Algorithm 


ID 


#data 


MEAN 


S.D. 


max.h.d 


min.h.d 


SHA-1 


1 


10*^ 


80.000029 


6.327076 


115 


44 




10 


10« 


80.004204 


6.334314 


109 


49 




20 


10« 


79.994482 


6.321717 


111 


47 


MD5 


1 


10« 


63.999359 


5.656389 


95 


34 




10 


10« 


63.998326 


5.658194 


93 


38 




20 


10« 


63.995178 


5.655455 


92 


37 



In Fig. 2] and Fig. the graph labeled by Dis:l, Dis:10 and Dis:20 shows the 
histogram of Hamming distance of 1, 10 and 20, respectively. 



Frequency Frequency 
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Fig. 4. Hamming Distance Histogram of SHA-1 




Fig. 5. Hamming Distance Histogram of MD5 
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Abstract. Trust is essential to a communication channel. The trust 
relationships, which play an important role in Pnblic Key Infrastrnc- 
tures (PKIs), need to be formalized for providing a reliable modelling 
methodology to snpport secure digital communications. In this paper, 
we present a typed modal logic used for specifying and reasoning about 
trust in PKIs. In order to study trust relationships within PKIs, we de- 
hne TA (a set of trust axioms), TB (a trust base) and TC (a set of 
trusted certificates). In our method, the trust relation in a given PKI is 
formalized by trust axioms. Based on trust axioms, an agent can have 
its own trust base that contains all agents whom the agent trusts, and 
can derive and extend its trusted certificates set. The trust theory for a 
given PKI, which consists of our modal logic and a set of trust axioms 
proposed for the PKI, is the basis of the certificate verification function. 

Keywords: certificate, CA (Certificate Authority), PKI (Public Key 
Infrastructure), trust, trust theory, certificate verification, information 
security. 



1 Introduction 

Public key technology within Public Key Infrastructure (PKI) has widely been 
recognised as a fundamental technology for supporting secure digital communi- 
cation (for example: electronic commerce and secure messaging). A PKI can be 
viewed as a system consisting of the entire, generally heterogeneous, set of com- 
ponents, which are involved in issuing, rekeying, revoking and managing public 
key certificates. It has two essential relations, the certification relation and the 
trust relation. 

The certification relation is usually defined based on the roles that agents (or 
participants) play in the PKI. For instance, RFC 1422 0 defines a rigid hier- 
archical structure for the Internet Privacy Enhanced Mail (PEM) ^ . There are 
three types of PEM CAs: Internet Policy Registration Authority (IPRA) acts 
as the root of the PEM certification hierarchy at level 0, and issues certificates 
only for the next level of authorities, called PCAs (Policy Certification Authori- 
ties); PC As, at level 1 of the PEM certification hierarchy, take the responsibility 
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for establishing and publishing the certification policy with respect to certifying 
users or subordinate certification authorities; and CAs, which are at level 2 of 
the hierarchy and can also be at lower levels (those at level 2 are certified by 
PCAs). We will adopt the concept of PKI certification topology, proposed by 
Liu et. al. uni, to describe the certification path architecture of a PKI. 

The trust relation is somewhat different from the certification relation. It 
captures agents’ beliefs and can be modelled by belief logics similar to the BAN 
logic 0. Trust depends on the observer (agent), and there is no absolute trust. 
Two different agents may not equally trust any received information. A message 
may carry some information, and different people (agents) may act differently 
depending whether they believe this information or not. 

Linguistically, “trust” is closely related to “true” and “faithful” , with a usual 
dictionary meaning of “assured reliance on the character, the integrity, justice, 
etc., of a person, or something in which one places confidence”. So, in common 
English usage “trust” is what one places his confidence in, or, expects to be 
truthful. In a PKI, one of the main concerns for an agent is whether a certifi- 
cate is trustworthy or not. In managing public key certificates, a PKI provides 
mechanisms allowing an agent to determine whether a needed certificate can be 
trusted (or, in the agent’s view, that the certificate is valid). 

PKIs simplify key management but create trust management problem jSj. 
Blaze et. al. P5 have identified such trust management problems as a distinct 
and important component of security in network services. Recently, several trust 
models with PKIs have also been proposed, which involve the development of 
effective formalisms used to define and express trust relations between entities 
involved in a PKI m, and the investigation of techniques for dealing with trust 
management [ I l.'-iiq) and the uncertainty in a trust model . In a PKI, what 

makes a public key certificate trustworthy? How can one specify and reason about 
trust? We have to deal with these sorts of questions. However, trust models and 
management techniques in present implementations are very limited. More rich 
trust models and new techniques for specifying and reasoning about trust for 
PKIs are therefore highly desirable. 

Trust is essential to a communication channel. The trust relationships, which 
play an important role in Public Key Infrastructures (PKIs), need to be formal- 
ized for providing a reliable modelling methodology to support secure digital 
communications. This paper presents an axiomatic approach to the description 
of trust in PKIs. It proposes a typed modal logic for specifying and reasoning 
about trust in a PKI, which is an extension of first-order logic with typed vari- 
ables and modal operators representing agents’ beliefs. In order to study the 
trust relationship withing a PKI, we define TA (a set of trust axioms), TB (a 
trust base) and TC (a set of trusted certificates). In our model, the trust relation 
in a PKI is formalized by TA. Based on TA, the set of trust axioms, an agent 
can have its own TB, the trust base, that contains all “persons” whom the agent 
trusts. The agent can also derive and extend its TC, i.e., the set of certificates 
trusted by itself. The axiomatic approach proposed in the paper allows us to 
build a trust theory that consists of the logic and a set of trust axioms for a 
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given PKI. The trust theory is a basis for a main client function, the certificate 
verification function. 

This paper is structured as follows. Section 2 discusses the format of PKI 
certificates. Section 3 is a brief introduction to the state-based model for PKIs, 
and Section 4 talks about trust relationship involved in PKIs. Section 5 presents 
a logc for trust transferring in PKIs. Section 6 discusses trust ABC: trust axioms 
(TA), trust bases (TB) and trust certificates (TC) for a PKI. Section 7 discusses 
the application of our method in the certificate path validation. The last section 
concludes the paper with a short discussion about possible future work. 

2 PKI Certificates 

The PKI entities, which we call agents in this paper, are classified into two 
classes: Certification Authorities (CAs)Q and Users. CAs can have their own 
certificates, and they also issue certificates for others within the PKI. Users, also 
called End Entities (EEs) , are people or devices that may hold certificates issued 
by some CAs, but cannot issue valid certificates themselves. 

Without loss of generality, we assume that PKI certificates have a “stan- 
dard” public-key certificate format, which contains the basic information that 
most kinds of public key certificates should provide as follows: the name of the 
certificate issuer, the start and expiry dates, the subject (i.e., the name of the 
holder of the private key for which the corresponding public key is being certi- 
fied), the value of the public key, the extension field, and the signature of the 
issuer. Formally, we define a PKI certificate to have the following form: 

Cert (I, DS, DE, S, PK, E, Sig) 

where I is the issuer, DS and DE are the start date and expiry date respectively, 
S is the subject of the certificate, PK is the value of the public key for S, E is the 
value of the extension field, and Sig holds the signature of the issuer I. 

Given a certificate 

C = Cert (I, DS, DE, S, PK, E, Sig) 

the following projection functions can be used to obtain the value of each com- 
ponent contained in (7: 

T(C) = I DS(C) = DS DE(C) = DE 

S(C) = S PK(C') = PK E(C) = E 

^(C) = Sig 

The public key PK(C) is bound to the entity S(G), the subject of the certificate. 
The private key corresponding to the public key PK(C) is denoted by S'AT(PK(C')). 
Therefore, the key pair possessed by the subject is (PK(C), 5'Ar(PK(C'))). 

^ We do not consider Registration Authorities (RAs) as separate entities. RAs carry 
out parts of the CA function, and are logically part of the CA, but are implemented 
elsewhere for performance, cost and usability reasons. 
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The extension field of a certificate may include 

— an extension named authorityKeyIdentif ier for providing a means to 
identify the particular private key used to sign the certificate, and 

— an extension named subjectKeyIdentif ier for differentiating the keys held 
by the subject. 

There are no requirements for PKI implementations to process these exten- 
sions. However, for our purposes, we assume that in certificate process, for 
a given certificate C, the identifier of the certificate authority’s key and the 
identifier of the certificate subject’s key can be identified by the extensions 
authorityKeyIdentif ier and subjectKeyIdentif ier, respectively. 

In practice, a PKI may use a certificate format different from the standard 
format given above. However, any PKI certificate format should consist of two 
parts: the data part and the signature part of the certificate issuer. In the stan- 
dard public key certificate format, Sig(C') is the signature part of the certificate 
C, while the data part is a combination of the values of all other components to 
be signed. We write tbs representing “to be signed”, and define: 

t^(C') = (I,DS,DE,S,PK,E), 

then tbs((7) is just the data part of the certificate, i.e. the argument to signature 
function carried out by the certificate issuer. 



3 A State-Based Model for PKIs 

We now give a brief introduction to the state-based model for PKIs, which is 
based on the model proposed by Liu et. al. for CMSs (Certificate Manage- 
ment Systems). 

In our view of a PKI, all the agents of the PKI are organized based on a 
certification relation over the set of these agents. That is, for any pair of agents, 
say A and B, if B is within the domain of agents which A may potentially certify 
(for example, A is an organisation and B is an employee), we write A [ B, and 
call I the certification relation of the PKI. 

We define the total certificate set of a given PKI, denoted as C, to be the 
set of all certificates issued by CAs in the PKI. This definition indicates that 
any certificate issued by some CA should belong to the total certificate set C, 
because it contain “all” certificates. 

At any moment in time, an agent in the PKI should hold zero or more certifi- 
cates. Also, for a CA, it is at times necessary to revoke certificates, for example 
when the certificate holder leaves the issuing organization or when the private 
key is compromised. A mechanism defined in X.509 for revoking certificates is the 
Certificate Revocation List (CRL). A CRL is a list, signed by a CA, of unexpired, 
revoked certificates. In our model, we assume that any agent is associated with 
a CRL issued by itself periodically. However, if the agent is an end-entity (EE), 
the CRL should be empty, because we assume no EE will issue certificates to 
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others and cannot therefore revoke any certificates. Thus, we define PKI states 
as follows: 

We call (17, |) the topology of a given PKI where 17 is the set of all agents in 
the PKI and | the certification relation. Let C be the total certificate set of the 
PKI. Then a state s of the PKI is a relation from 12 to 2^ x 2^ satisfying the 
following conditions: For any A G SI, 

(1) there exists an unique set C(c C) associated with A such that C S C if and 
only if A is the subject of C, and 

(2) there exists an unique set 77 (c C) associated with A such that C e 77 if and 
only if A is the issuer of C and it has revoked the certificate C. 

where 2^ is the power set of C. Under a state s, we call s(A, 77 ) a triple, where 
C(c C) is a set of certificates issued to A and ?7(c C) is a set of certificates issued 
by A. 

Let s be a PKI state. If we have s{A,(,r]), then ^ is called the possessed 
certificate set of A, which lists all certificates possessed by A at the state s, 
and 77 is called the revoked certificate set of A, which represents the CRL issued 
by A at the state s. In the following, we will often use PCS^i and CRLyi to 
denote the possessed certificate set and the revoked certificate set of an agent 
A, respectively, at a given PKI state. 

The state of a PKI can be changed by application of some PKI functions, 
such as certificate issuing, certificate rekeying and certificate revocation. These 
actions could be viewed as transitions which change one PKI state into another. 
Thus, a PKI can be described as a state machine. In the following, we focus on 
discussing the role of trust in the certificate verification based on a given PKI 
state, so we do not attempt to consider the formalization of the state changes 
here, which will be covered in future work. 



4 The Trust Relation 

In a PKI, the operations CAs may execute include: issuing, revoking and rekeying 
certificates. We make the following assumptions concerning trust between the 
agents in it: 

(1) All agents (CAs and users) trust all CAs to faithfully execute their CA 
operations; and 

(2) All agents trust that it is not viable to tamper with PKI certificates. 

These assumptions can be well founded and supported by PKI practices. Firstly, 
assurance is provided for (1) through the use of accreditation of CAs, Certificate 
Practice Statements published by CAs and the implementation of appropriate 
policjfl. Assurance is provided for ( 2 ) through the use of digital signatures, and 
good control of private keys. 

^ Note that policy for CAs can be listed and checked in much the same way as in which 
certificates are checked and can even be included as an extension in certificates. 
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In the following, we focus on discussing a trust relation that is tightly related 
to the certificate verification. Let {Q, |) be the topology of a given PKI. Then 
the trust relation of the PKI is a binary relation over fi, i.e., a subset of 12 x 17. 
For any A,B G f2, if (A, B) belongs to the subset, we say that A trusts B, 
denoted as A -ft- B. 

Note that in general the trust relation may not have the following properties: 
transitivity, and symmetry, i.e., we cannot obtain the conclusion ‘Ai fl" A3’ from 
‘Ai fl- A2’ and ‘A2 tl A3’, and cannot derive the formula ‘Ai fl- A2’ from 
‘A2 tl' Ai’. These are consistent with the model of trust in the real world: A 
man may not trust his friend’s friend although he may trust his friend and his 
friend may also trust the friend of herself; and the fact that Alice trusts Bob does 
not necessarily mean that Bob should trust Alice. However, the trust relation 
can be reflexive: an agent may trust himself. This property will be expressed as 
a trust axiom in our model (see Section 6). 

In our model, both the certification and trust relations are a binary relation 
over the set of agents. The difference between the two relations is that the certi- 
fication relation is static in our model whilst the trust relation may dynamically 
change from time to time because agents may change their beliefs. 

Yahalom et. al. identied and described various types of trust, and used 
the term trusts subscripted with types to represent that an agent trusts another 
in some aspect. For exmaple, A '^kg B can be intepreted to mean that an agent 
A trusts an agent B with resepct to quality random key generation. In general, 
the expression A -ffa, H means that an agent A trusts an agent B with resepct 
to X, where a: is a variable ranging over trust types. In our model, we do not 
use subscripts attached to the trust relation, and leave a freedom for the PKI 
designer or someone who concerns reasoning about trust to explain the trust 
relation fl". For more explanation, see Section 6. 

5 A Logic for Trust Transferring in PKIs 

A theory is based on a logic. Briefly, a logic of any sort consists of a language, 
a set of axioms and a set of rules of inference. The language defines the set of 
well-formed formulas (WFFs) in the logic. An axiom is a WFF and a rule of 
inference is a transformation from one WFF to another. A theory consists of 
a logic and a set of WFFs called proper axioms. A proof starts out from the 
axioms, repeatedly uses rules of inference and arrives at a WFF. A WFF that is 
the result of a proof is called a theorem of the theory. 

The logic we adopt in this paper is a typed modal logic, which is an extenstion 
of first-order logic with variables typed and modal operators expressing beliefs 
of a rational agent. A trust theory for a given PKI consists of the logic and trust 
axioms which we discuss late. 

5.1 The Syntax 

In this logic, all variables as well as functions are typed. Examples of simple 
types are numerical numbers and boolean values. For our purpose, we introduce 
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the following primitive types: f 2 (a set of agents), C (a set of certificates), JC (a 
set of keys), and N (the set of natural numbers). Other types may be introduced 
at any time as the need arises. 

In particular, we use 

- A,B,Ai,A2,... agent variables ranging over the type 17 , 

- C, Cl, C2, . . . certificate variables ranging over the type C, 

- PK, PKi, PK2, ■ ■ ■ public key variables ranging over the type 1 C, 

- SK,SKi, SK2, ■ ■ ■ private key variables ranging over the type 1 C, and 

- T, Ti, T2, . . . time variables ranging over the type N . 

We may also use agent constants alice, bob , . . certificate constants c, ci, C2, . . .; 
public key constants pk, pk\,pk2, ■ ■ ■', private key constants sk, ski, sk2, ■ ■ ■', and 
time constants t,t\,t2, ■ ■ ■, and a special time constant today representing the 
current time. 

An n-ary function symbol represents functions of n variables, for finite integer 
n. The types of all functions are defined. The main functions include all functions 
given in Section 2 , such as l(C), S(C), DS(C), Sig(C), tbs(C),PK(C) and so on. 
We also have some variable and constant symbols for representing certificate 
sets, such as PCSa and CRL^i that we introduce for representing the possessed 
certificates set and certificate revoked list of an agent A. 

We write PK and SK for the public and private keys associated with a 
public key pair K, that is, K = {PK, SK) means that the public key of the key 
pair K is PK and the private key corrensponding to the public key is SK. Note 
that, as we said before, no one can calculate the private key from the public key 
although the corresponding relation has been represented by the formula. 

Let A be a public key or a private key. Thus, we have the following notations 
to define encryptions and decryptions: {M}x represents M encrypted under the 
key X, and {M)x represents M decrypted under the key X. 

In our logic, we distinguish two different concepts, messages (in the first- 
order logic, called terms) and formulae. In our logic, messages can be names 
of agents, certificates, public keys, private keys, dates, strings having particular 
meanings, or other things. They can also be a combination (or sequence) of other 
messages. Messages are not formulae although formulas are built from messages. 
Only formulae can be true or false or have agent’s beliefs attributed to them. 
Formally, messages can inductively be defined as follows: 

- A is a message if A a variable or a constant representing an agent, a cer- 
tificate, a public key, a private key, a time, or a string such as an extension 
field value of a certificate. 

- F{Xi, . . . , A„) is a message if Ai, . . . , A„ are messages and F is any function. 

In first order logic, with a given n-ary predicate symbol such as p, in the 
formula p{e±, . . . , e„) all ei, . . . , e„ are defined on the same domain in a given in- 
terpretation. Our logic is a typed modal logic, so in the predicate p{Xi, . . . , A„), 
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Xi, . . . , Xn may be defined with different types. Therefore, in this logic, an inter- 
pretation of a formula should be based on the corresponding types of variables 
appearing in the formula. 

In the vocabulary of our logic, apart from variables, function and predicate 
symbols, we have the primitive propositional connectives, ^ and A, universal 
quantifier “V” and modal operators: for all A G ^2. The formulae of the 

logic are therefore inductively defined as follows: 

- p{Xi , . . . , Xn) is a formula if p is a n-ary predicate symbol and Xi, . . . , X„ 
are the terms (messages) with corresponding types to p. In particular, we 
have: 

(1) A J, B and A'[\ B are formulae when A and B are agents. 

(2) X G S' is a formula if X is a certificate and S is a set of certificates or 
X is an agent and S is a set of agents. 

(3) X = F is a formula if X and Y are messages. 

(4) Valid(X) if X is a certificate, the signature of a certificate, a key or a 
key pair. 

- —'(p and if Alp are formulae if p and ip are formulae. 

- VX(/?(X) is a formula if X is a free variable in the formula p(X). 

- B /IP is a formula if p is a formula, for all agent a- 

Here, most of the expressions just given either are standard notation or have 
been defined before. We only need to give a brief description for the following: 
‘Valid(X)’ means that X is valid where X may be a certificate or a key or 
something else, and, for ‘B/ip’, B/i is read as “agent A believes”, so it means 
that the agent A believes p. In the language, other connectives, V,^ and 
and 3 can be defined in the usual manner. 



5.2 The Proof System 



The proof system consists of a set of axioms and a set of rules of inference. Our 
logic has the following rules of inference: 



Modus Ponens: 
Instantiation: 
Generalisation: 
Necessitation: 



From p and p ^ tp infer xp 
From VXp(X) infer p(Y). 
From p(X) infer VXp(X). 
From h p infer \- HaP- 



where X is a free variable and A is any agent, h is a metalinguistic symbol. 
‘T h p’ means that p is derivable from the set of formulae B (and the axioms), 
‘h p’ means that p is a theorem, i.e., derivable from axioms alone. 

Apart from all instances of tautologies of classical first logic, our logic also 
has the following axiom schemata: 
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(Al) ^ t/>)A ^ B^r/j, for any formulae Lp and t/>. 

(A2) Byi(/9 ^ B^(B^(/?), for any formula Lp. 

(A3) VC'(Valid(C) ^ Valid(PK(C'))). 

(A4) \/K{K = (PK(C), S'AT(PK(C'))) A Valid(PK(C)) ^ Valid(AT)). 

(A5) = {PK, SK) A Valid(Ar) {{{M}sk) pk = M)). 

(A6) yiCiM{K = {PK, SK) A Valid(Ar) {{{M}pk)sk = M)). 

(A7) VC'(3C"(Valid(C") A (T(C) = S(C"))A 

(t^(C) = (Mg(C'))pK(c/))) ^ Valid(^(C))). 

(A8) VC'(Valid(^(C')) A today > DS(C)A 

today < DE(C') A ~^{C G Valid(C)). 

Axiom (Al) says that every agent believes everything that can logically be de- 
rived from his beliefs. Axiom (A2) says in effect that an agent knows and is able 
to tell what he believes. Axiom (A3) says that, if a certificate is valid, then the 
public key contained in the certificate is valid. Axiom (A4) says that, if the public 
key bound to the subject of a certificate is valid, then the key pair consisting of 
the public key and the private key corresponding to it is valid. Axiom (A5) says 
that, for any message M, we have {{M}sk)pk = M ii the key pair (PK,SK) 
is valid. The meaning of Axiom (A6) is similar to (A5). Axioms (A7) and (A8) 
allow agents to verify the signature of a certificate as well as the certificate itself 
based on another certificate whose validity has been proved. 

Note that digital signature algorithms usually involve use of a hash function. 
However, to simplify our discussion, we do not consider this. So, in axiom (A7), 
to verify the signature of the certificate C, we only check whether tbs(C) = 
(Sig(C))^(-(;^,^ holds when C is signed by S'AT(PK(C")) and we believe that the 
certificate C is valid. 

5.3 Transfer of Trust 

Suppose that a certificate C 2 is signed by the subject of the certificate C\ with 
the private key corresponding to the public key of C\. We also assume that an 
agent A trust the certificate Ci, i.e., it believes that Ci is valid. If the agent does 
not trust the certificate C 2 but wishes to use it, then the agent must verify this 
certificate based on its own beliefs. 

Using our logic, the verification process can be outlined as follows: 



(1) BAValid(Ci). 

(2) T(C2) = S(Ci). 

(3) B^(I(C2) = S(Ci)). 



(assumption) 
(assumption) 
(by the rule of necessitation) 
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(4) tbs(C 2 ) = (Sig(C' 2 ))pK((;;;^). (be checked and assumed to be true) 

(5) B^(tbs(C 2 ) = (Sig(C' 2 ))^((;;;^)). (by the rule of necessitation) 

(6) B^(Valid(Ci) A (T(C 2 ) = S(Ci)) A (t^(C 2 ) = (^(C2))pK(c,)))- 

(from (1), (3) & (5)) 

(7) Valid(Ci)_Ml(C 2 ) = S(Ci)) A (tbs(C 2 ) = (Sig(C2))pK(c,))) 

— > Valid(Sig(C 2 )). (by axiom (A7) & the rule of instantiation) 

(8) B^(Valid_(Ci) A (T(C 2 ) = S(Ci)) A (tbi(C 2 ) = (^(C2))m(c,))) 

^ Valid(Sig(C 2 ))). (by the rule of necessitation) 

(9) B^Valid(Sig(C 2 )). (from (6) & (8), and by (Al) and Modus Ponens) 



Furthermore, if the following formulas: 

(10) today > DS(C 2 ), 

(11) today < DE(C 2 ) and 

(12) G CRL^(c,)) 

are all checked and hold, then, form (10) - (12) and by the rule of necessitation, 
we can have 

(13) JiA{today > DS(C 2 ) A today < DE(C 2 ) A ^(C G CRLj((^ 2 )))- 
Thus, from (9) and (13), we have 

(14) B^(Valid(^(C 2 )) A today > DS(C 2 )A 

today < DE(C 2 ) A ^{C G CRLj(-<^ 2 )))- 

According to Axiom (A8) and by the rule of instantiation, we have 

(15) Valid(Sig(C 2 )) A today > DS(C' 2 ) A today < DE(C 2 )A 

-(C G CRLj((.^)) ^ Valid(C' 2 ). 

Then, by the rule of necessitation, we have 

(16) B^(Valid(Sig(C 2 )) A today > DS(C 2 ) A today < DE(C 2 )A 

-(CGCRLj(c^))-.Valid(C2)). 

Thus, from (14) and (16), we obtain 

(17) BAValid(C2). 

Having completed the proof, we can therefore have 
(*) BAValid(Ci) hB^Valid(C' 2 ). 

This expression (*) can formally be read as “the fact that agent A believes that 
the certificate C 2 is valid is derived from the fact that agent A believes that 
certificate Ci is valid”. Intutively, it represents a trust transfer: Agent A’s trust 
in the certificate C 2 is transferred from its trust in Ci. In general, an expression 
‘B^(/? FB^'i/)’ represents that an agent’s trust in ip is tranferred from its trust in 
(p (or its belief in ip is tranferred from its belief in p). 
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This indicates that PKIs provide a mechanism for agents to transfer their 
trust from where it exists to where it is needed, while our logic allows agents to 
check the correctness of trust transferring. However, we have to note that PKIs do 
not create trust (3- Any PKI is only able to propagate it: agents must initially 
trust something. Ususlly, initial trust is established off-line. In our approach, 
initial trust will be formalized as proper axioms in the trust theory of the PKI. 
Once the set of trust axioms for a given PKI is given, agents can obtain their 
trust bases as well as the initial trusted certificate set. These will be discussed 
in the next section. 

The reader may note that we did not directly use axioms (A4) - (A6) in the 
above proof process. However, we have to point out that checking if tbs(C' 2 ) = 
(Sig(C 2 ))^((^^) holds lies in the validity of the key K = (PK(Ci), S'Kr(PK(C'i))), 
and the fact that the agent believes that 

if K is valid, then = M for any message M. 

Therefore, these axioms are also needed. 

6 Trust Framework for a PKI 

This section discusses the trust framework for a PKI, i.e. trust axioms (TA), 
trust bases (TB) and trust certificates (TC), which are formed as the basis of 
specifying and reasoning about trust in the PKI. 



6.1 Trust Axioms 

In our approach, the trust relation in a PKI is formalized as a set of trust axioms. 
That is, we will use a set of proper axioms to define the trust relation. Obviously, 
different kinds of PKIs may have different axioms to define the trust relation. 

In the hierarchical PKI, all CAs and users would trust the certificate of 
the paa, the top CA, because any certificate may be verified by verifying the 
certification path starting from the “root” certificate held by the paa. Therefore, 
any agent may trust the paa. Also, in the PKI, every agent may trust itself. Thus, 
the PKI may have the following axioms to define the trust relation: 

(Tl) VA(Atrpaa). 

(T2) VA^trA). 

The TA = {(T1),(T2)} is the set of trust axioms, which specifies trust in the 
PKI. 

In our approach, a trust theory for a PKI consists of a logic and a set of 
trust axioms. Now, for the hierarchical PKI, we have a trust theory, for which 
the proper axioms specifying some trust are contained in TA. 

What are the effects when adding a new axiom to the existing theory? If the 
new axiom can be proved as a theorem in the theory, there is no need to add it; 
if the new trust axiom is not a theorem, adding it gives rise to a new theory. 
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Let us continue to consider the example given above. We denoted the trust 
theory for the hierarchical PKI as T. Obviously, adding a trust that “alice trusts 
the paa” to the trust theory T is not necessary, because it cannot make the theory 
to contain more trusts. In fact, the trust “alice trusts the poa” can formally be 
expressed as 

alice fl pan, 

which can directly derived from Axiom (Tl). However, if we add a trust stated 
that all EEs (i.e., users) trust their parents, i.e., those who can certify them, we 
will obtain a new theory Ti. The trust can be expressed as: 

(T3) VAVH(Is.EE(A) a (B i A) ^ a tr H), 

which says that for any agents A and H, if A is an EE and can be certified by 
B, then A trusts B. 

(T3) cannot be derived from the theory T, it should therefore be viewed as 
a new axiom. Thus, the new theory T) has an extended set of trust axioms: 
TAi = {(T1),(T2),(T3)}. 

Furthermore, if we add the formula 

(T4) VAVB(H i A ^ A tr H) 

as an axiom into the theory 7i, a new trust theory T 2 is obtained. Thus, the set 
of trust axioms for T 2 contains 4 axioms, i.e., (Tl) - (T4). However, if (T3) is 
moved out from the set of trust axiom, we still have the same theory. That is, 
the set of trust axioms for the theory T 2 can be TA 2 = {(T1),(T2),(T4)}. 

We do not attempt to discuss all the issues about how to construct a set of 
trust axioms in a trust theory for a PKI. We only need to note that we have to 
consider the consistency of a trust theory when adding a new trust into it. That 
is, we must maintain the soundness of our theory when extending the theory by 
adding new axioms. 



6.2 Trust Bases 

Given the topology (12, J, ) of a PKI. We define that the trust base of any agent 
A(g f2), denoted as TB^, is a set consisting of all agents whom the agent trusts. 
We argue that, for any agent in a PKI, there should be a trust basis that the 
agent places his trust in and from where it can therefore obtain the information 
it expects. 

Our model is conservative: in particular, an agent A is assumed not to trust 
another agent B unless there is an explicit expression B that can be derived 
from the theory of trust. That is 

— If T is the trust theory of a PKI, then, for any agents A and B, B G TB^ 
if and only if A fl- i? is a theorem of T. 
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For example, assume that alice G 17, and the PKI is hierarchical and has the 
trust theory T given above. Then, it is not difficult to show that TBaUce = 
{paa, alice}. 

As we will see, based on the trust base, an agent can build its own trusted 
certificate set, which is needed for the certificate verification. 



6.3 Trusted Certificates 

When an agent wants to verify a required certificate, it must construct a cer- 
tification path starting with a certificate trusted by itself and ending with the 
required certificate. If it has no trusted certificates, it cannot accept any certifi- 
cate as valid. We now analyse why an agent needs a set of trusted certificates 
and how to derive it based on our logic. 

A PKI provides mechanisms for agents to retrieve information, such that 
agents are able to verify the validity of every certificate that a security application 
uses. Assume that an agent Alice wants to retrieve Bob’s certificate together with 
evidence used for checking if the certificate is valid. The certificate held by Bob 
carries the message that allows Bob to say, for example, “I am bob and have the 
certificate to which the public key pk (and the corresponding private key sk) 
is bound. The certificate is issued by ca\ and valid from 12th October 2000 to 
31st October 2001”. If Alice trusts Bob, she may believe that Bob’s certificate is 
valid, i.e., she may accept Bob’s certificate as valid. In particular, Alice believes 
that Bob’s public key is really Bob’s, so that she can use Bob’s public key pk to 
decrypt a message signed with Bob’s private key. 

However, if Alice does not trust Bob, she must verify Bob’s certificate before 
she uses it. To do this, Alice may employ the proof procedure presented in the 
last section to transfer some of her trust which has existed to Bob’s certificate, 
and to determine whether to trust it. The procedure can be outlined as follows: 

- verifying the identity of the certificate issuer and owner (checking if bob is 
the owner and, and checking if bob belongs to the certification domain of the 
issuer); 

- verifying the validity dates of the certificate; 

- verifying the certificate against the issuer’s latest CRL list to make sure it 
has not been revoked; 

- verifying extension fields (such as certificatePolicies) if necessary; and 

- verifying the signature on the certificate. 

In order to verify the signature on Bob’s certificate, Alice needs to check if the 
issuer holds a valid certificate, or, more precisely, Alice must verify the certificate 
which is held by the issuer and used to sign Bob’s certificate in the same way 
if she does not trust the issuer’s certificate. Therefore, the verification process 
Alice uses is iterative. She cannot accept Bob’s certificate as valid unless she 
reaches a certificate she trusts in the verification procedure. 

This indicates that, if Alice has no trusted certificates, either she cannot prove 
that Bob’s certificate is valid or her proof process can never terminate. That is. 
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an agent who is involved in certificate verification should have a non-empty set 
of certificates which it trusts. 

Let (17, J, ) be the topology of a PKI. Given a state, for all agent A(s 17), we 
denote the set of certificates trusted by the agent A at the given state by TC^. 
For the agent, it has a basic belief that, if a certificate belongs to its trusted 
certificate set, then the certificate can be accepted as valid. Formally, we have: 

(A*) Ba{C e TC^ Valid(C)), for all CgC. 

(A*) is an auxiliary axiom of the proof system, which is related to constructing 
initial trust. 

Suppose that at the current state the trusted certificate set of an agent A is 
TC, and the agent has also verified that a certificate C is valid and put C into 
its trusted certificate set, then its new trusted certificate set would be TCVJ{C}. 
This indicates that, if there has existed a trusted certificate set for an agent, then 
there is no problem to extend the set by adding new certificate that the agent 
trusts. The question is: how does the agent derive the initial trusted certificate 
set for itself? A simple rule the agent A may adopt is that, if a certificate is 
owned by someone whom A trusts, then the certificate can be trusted by A itself 
and should belong to the trusted certificate set TC^. This rule can be expressed 
as follows: 

Belief Rule: If S(C) = R and R G TBa, then C G TC^. 

As we said before, we allow freedom to define the meaning of “trust” . In our 
model, as shown in the above rule, a simple explanation of trust could be that 
the fact “one agent trusts someone” means that the agent trusts the person’s 
certificate, i.e., it believes that the certificate is valid. The above rule is flexible, 
and may be modified by giving different explanations for the meaning of “A "fl" R” 
(depending on the designer and/or security requirements). For instance, instead 
of the above rule, we may adopt a rule as follows: 

If S(C') = B and A fl- R, then Ba{B controls SK(PK{C))), 

which means that if an agent A trusts an agent B and B is the subject of a 
certificate C, then the agent A believes that B controls the private key corre- 
sponding to the public key of C. (Note that, if this rule is adopted, we may need 
to make slight changes to the axioms of our proof system.) 

Trust assessment must be based on some initial trust combined with trust 
propagating For certificate verification, one must obtain an initial trusted 
certificate set. Initial trust is usually established off-line. Our model allows an 
agent to gain trust by the proof system of our logic. 

7 Certificate Verification 

Certificate verification is a client function, which is responsible for verifying the 
validity of every certificate that a security application uses. This section discusses 
certificate verification in a given state for a PKI. 
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7.1 The Concept of Certificate Verification 

The certificate verification is always based on a given state, in which any agent 
has a certain set of certificates possessed by itself and a certain revoked certificate 
set. For verifying a required certificate, the agent must also have its own trusted 
certificate set at the given state. 

Verifying the validity of a required certificate involves obtaining and verifying 
the certificates from a trusted certificate to the target certificate. Obtaining 
the certificates is referred to as certificate path development and checking the 
validity of the certification path is referred to as certification path validation. A 
certification path is usually defined to be a non-empty sequence of certificates 
(Co, . . . , C„), where Co is the target certificate, C„ is a trusted certificate, and 
for all i (0 < t < n) the subject of C^+i is the issuer of Cj. 

The path development module discovers certification paths and sends them 
to the path validation module for processing; the path validation module takes 
a given certification path and determines whether the target certificate is valid 
or invalid. 

For certificate verification, we have an essential principle stated as follows: 

— In a certificate verification process, when the verifier (an agent) has found a 
certification path constructed for verifying a required certificate in which he 
believes that all certificates are valid it may accept this certificate as valid, 
and in all other cases the certificate is regarded as invalid. 

Note that, according to the certificate verification principle, it can happen 
that a certificate may actually be valid but the verifier did not find a correspond- 
ing certificate path in which all certificates are valid. In such a case, the verifier 
cannot accept this certificate as valid. This is the correct choice on security 
grounds. 



7.2 Path Development and Validation 

How the certification path is obtained is dependent on the structure of the PKI. 
However, in any PKI, starting with the target (required) certificate and building 
a certificate chain back towards a certificate trusted by the verifier is usually an 
efficient means for developing a certificate path. 

A sequence of certificates starting with the target certificate constructed in 
developing a certification path may eventually be a part of some certification 
path; however, in some cases, it may be discarded as not being a part of any 
certification path if the verifier could not reach any trusted certificate along this 
sequence. In either case, the verifier may need to check whether there is any 
possibility to reach a trusted certificate along such a sequence of certificates, 
such that a certification path can be constructed. 

We assume that, at a given state, Co is the target certificate required by 
the agent A, and TC^i is the trusted certificate set of the agent A. Recalling 
the notations for possessed and revoked certificate sets, we have: for any agent 
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B, PCSb represents B’s possessed certificate set, and CRL^ represents B’s 
revoked certificate set. 

Thus, for a hierarchical PKI, the agent A, as a verifier of the certificate 
Co, may adopt the following algorithm in developing a certification path by 
constructing candidate paths step by step. 

1. Set i = 0, F = (Co) and Co = PCSj(c„); 

2. If Ci G TC^, return P = (Co, . . . , Ci) as the certification path, then stop; 
otherwise 

3. If Ci is not empty, choose Ci+i from Ci, set 

Ci = Ci ~ {C'i+i}, P = (Co, . . . , Ci, Ci+i), and Ci+i = 
then reset i = i + 1 and go to Step 2; otherwise 

4. If Ci is empty, and t > 0, delete the last element in P, i.e., reset P = 
(Co, . . . , Ci_i), then set i = i — 1, go to Step 3; otherwise 

5. If Ci is empty and i = 0, return fail (which means that no certification path 
is found), then stop. 

By this method, the verifier A may construct all possible certification paths 
starting with the target certificate and ending with a trusted certificate. All these 
certification paths can be used for verifying the target certificate. However, it 
may find that there are no such certification paths, in which case, it cannot 
accept the certificate as valid. 

In particular, if A only trusts the certificate held by the paa in a hierarchical 
PKI, then any certification path constructed by itself is always a certification 
path starting with the certificate held by the paa. 

Since the certificate set of an agent may contain multiple certificates, without 
the use of the key-identifier information, certification path development become 
increasingly complex as the number of paths that need to developed may grow 
exponentially. To avoid this, in Step 3 “choose Ci+i from Q’’\ we may use the 
key-identifier information to reduce the number of choices. 

Suppose a certification path (Co, . . . , C„) bas been developed for agent A 
to verify cerificate Co, and sent to the path validation module, where C„ is a 
certificate belonging to A’s trusted certificate set. ^From the fact that A trusts 
the certificate C„, i.e., C„ G TCa, and Axiom (A*), we can have 

BAValid(C„). 

The path validation module needs to check whether A’s trust in C„ can be trans- 
ferred to its trust in Co, i.e., it needs to prove all the following trust transferring: 

BAValid(C„) FBAValid(C„_i), 

BAValid(C„_i) FB^Valid(C„_ 2 ), 

BAValid(Ci) FBAValid(Co). 

Unless all proofs for these trust transferrings are successfully completed, the 
agent A cannot accept Co as valid by this path. 
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A framework for path processing has been proposed based on a natural sep- 
aration of the entire certification path validation problem into distinct types of 
checking requirements. For the details about the framework and a mechanism 
dealing with various different checks, we refer the reader to Ozols et. al. m- 

8 Conclusion 

There are two major relations involved in a PKI, one is the certification relation 
and the other the trust relation. The certification relation has been formalized 
by Liu et. al. uniQ. The trust relation is the basis of certificate verification. 
This paper, focusing on the trust relation, has present a typed modal logic for 
specifying and reasoning about trust for a PKI. We have proposed a trust theory 
for formalizing the trust relation in a PKI. In particular, we have discussed trust 
axioms, trust bases and trusted certificates. In our model, the trust relation in 
a PKI is formalized by TA, a set of trust axioms. Based on the trust axioms, 
an agent has its own trust base that contains all agents whom the agent would 
trust. The trusted certificate sets are essential for certificate verification. Without 
a trusted certificate set, an agent cannot prove that a certificate is valid or he 
should not use any PKI function for itself. 

Our axiomatic approach is flexible: it is easily modified or extended for a 
specific purpose. The logic is sound. Because of space limitation, no proof of 
soundness is given in this paper. Also, we did not give a formal semantics for 
this logic. All these will be addressed in future work. We also plan to mechanise 
the theory in a general theorem prover, Isabelle m- Once a reasoning system 
for PKIs has been developed, certificate verification and the proof of security 
properties of a PKI could be automatically performed. 

Future work also includes investigating the different distributions of trust 
points within a PKI. Comparisons of solutions and suggestions as to how distri- 
bution of trust points could be implemented in these extended PKI structures 
need to be considered. Joining PKFs, with so called cross-certificates or bridging 
CAs, is another important issue. This paper is based on first order logic. The 
PKI functions, include certificate verification, could also be described based on 
a temporal reasoning framework. 
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Abstract. This paper proposes a knowledge-based approach to Internet 
authorizations using Public-Key Infrastructure (PKI) based digital certificates 
and Role-Based Access Control (RBAC). First, we introduce several existing 
access control models. Second, a logic-based policy specification language is 
given. Third, a policy-driven RBAC is presented. Fourth, a method of 
automatically assigning roles to users using digital certificates is discussed. 
Then, the architecture for Internet authorizations is described. Finally, a 
solution to remote policy enforcement is proposed. We also give the syntax of a 
role definition language and illustrate it in appendices A and B, respectively. 



1 Introduction 

The Internet provides an excellent infrastructure for supporting information sharing 
and the collaboration between business partners. One of the most important 
challenges is to control Internet users accesses to resources, without asking the users 
to pre-register with the resource providers. In the following, we will use the terms 
resource and service exchangeably. First, we introduce some of the existing access 
control models. 



1.1 Discretionary Access Control (DAC) 

DAC enforces the rules specified by an access matrix, which describes the operations 
each subject is authorized to perform on various objects, and is typically implemented 
by either Access Control Lists (ACLs) associated with resources or users Dcapability 
lists. Each time a user is added into or removed from a system, security managers 
have to administer the relevant ACLs for those resources affected. Similarly, this 
applies to users Dcapability lists, when a resource is added into or removed from the 
system. The extensions to the conventional ACL include the addition of an optional 
field to each ACL entry for specifying restrictions on access rights [8]. In [17], a 
generalized ACL supporting authorizations delegation is given. However, they do not 
scale well as the number of subjects or objects in the system increases. If an 
authorization policy changes, the ACL has to be modified dramatically. Therefore, 
DAC is not the best solution to the access control in Internet environments from a 
user -resource management perspective. 

V. Varadharajan and Y. Mu (Eds.): ACISP 2001, LNCS 2119, pp. 292-304, 2001. 
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1.2 Mandatory Access Control (MAC) 

MAC attaches security levels to objects based on their information sensitivity, and to 
subjects, reflecting the degree to which they are trusted to not disclose sensitive 
information. Security levels are partially ordered in a lattice-structured hierarchy, with 
each level dominating itself and the ones below it [4, 19, 23]. Some MAC systems 
also introduce categories and assign them to subjects and objects. Thus, a node in the 
hierarchy consists of a security level and a set of categories. MAC enforces a specific 
security policy so that it prevents information flow from high-level objects to low- 
level subjects. However, when a user is unknown to a resource provider, the prior art 
MAC model still cannot solve the general problem of Internet authorizations. 



1.3 Role-Based Access Control (RBAC) 

In RBAC models [2,6,7,9,13,14,16,24], a role is represented by a set of permissions 
that allow its role members to perform operations on objects. Security officers and 
system administrators create and assign roles to users based on their responsibilities 
and obligations in their organizations. An RBAC system determines a userB 
permissions according to the role(s) the user plays at the time of requesting a 
resource. A user can be easily reassigned from one role to another. A role may be 
granted new permissions as new resources are provided, and permissions can be 
revoked from roles as needed. Therefore, security management is significantly 
simplified. However, given an unknown Internet userB request, assigning roles to the 
user dynamically still needs to be solved. 



1.4 Certificate-Based Access Control 

Attribute and authorization certificates may contain access rights [11,15]. Attribute 
Certificates (ACs) bind attributes to users nDistinguished Names (DNs), and can be 
used with identity certificates to achieve the mapping: attributes ^ DN — > public key. 
Having a delegation tag within it, a SPKI attribute certificate allows its recipients to 
delegate privileges to other people, achieving the distributed authorizations [1,3,5]. 
However, having authorizations in an AC has several issues. First, AC authorities 
must issue ACs to users before the users accesses to the controlled resources. Second, 
for those ACs that have a long period of validity, revoking them can be much of a 
burden to the issuing AC authorities, especially when the accessing rights within them 
have to be updated due to the resource provider B security policy changes. Third, it is 
too expensive to issue ACs to potential Internet users. 

In this paper, it is assumed that an AC contains only users Dnon-volatile attributes 
without access rights. A user may have several ACs issued by different trusted 
authorities that have intimate knowledge of the user. E.g., an accredited university 
issues its graduates normal ACs containing such information as degrees, 
qualifications, majors, graduation dates, and the like. A userB ACs will then be used 
to make access control decisions by resource providers, based on their security policy 
and the userB requests [25,26,27,28]. 
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In the following, a logic-based policy specification language is introduced first. 
Second, a policy-driven RBAC is presented. Third, we discuss a method of 
automatically assigning roles to Internet users using digital certificates. Fourth, the 
architecture for knowledge-based Internet authorizations is described. Finally, a 
solution to remote policy enforcement is proposed. We also give the syntax of a 
policy-based role definition language and illustrate how it can be used to specify 
security policies in appendices A and B, respectively. 



2 A Logic-Based Policy Specification Language 

Our policy specification language is defined as a subset of Horn clauses. A clause, 
also known as a rule, takes the following form: H if B, where H, B are called the head 
and body of the rule, respectively, //takes the form of pred{t\, □ , t„), where pred is 
an n-ary predicate symbol and each / is a term. /? is a conjunction of literals. A term is 
either a variable or a constant and each rule has a bounded number of variables. When 
B is empty, the QfDpart of the rule can be omitted. A policy base is thus just a finite 

set of rules. Given a policy base PB, a request r is to be granted if and only if PB ! r. 

The logic-based policy specification language has the following advantages [18]: 

• The separation of domain-specific policy base from its implementation 
mechanism, increasing the flexibility of an authorization system. Based on 
the same implementation mechanism, users can deploy various 
authorization policies. 

• The ability of expressing constraints and security policies as declarative 
rules. In most security systems, policies are hard-coded into programs, 
which is inflexible for configuration changes. 

• The capability of expressing information implicitly. E.g., a role membership 
can be specified by a predicate, rather than enumerating its members 
explicitly. 

• Policy conflict detection can be done by checking if the corresponding rule 
set is consistent or not, based on the model-theoretic semantics of first order 
logic. 



3 Policy-Driven RBAC 

The known prior art RBAC is policy-neutral. Some extensions to it include the 
introduction of role hierarchies, and constraints that apply to user-role and role- 
permission assignment, and so on [2,6,7,9,12,13,16]. In our policy-driven RBAC 
model, user -role assignment policy and the application-specific business logic on role 
permissions are provided as a configurable knowledge base. Any changes to it will 
dynamically and automatically drive the changes in an organizations security policies 
on its business processes, thus alleviating the security management. In our approach, 
each role is extended by a predicate describing its membership policy, and role 
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permissions are generic. For example, there are several permissions defined for the 
withdrawal of money in a traditional RBAC system: 

• A normal customer can withdraw money from its own bank account, but 
overdrawing is disallowed. 

• However, a silver customer, whose annual salary is over £20000, can 
overdraw up to £1000 from a bank if the customer has been with the bank for 
more than 5 years; otherwise, the limit for overdrawing is reduced to £300. 

The business logic on roles permissions can be captured in the knowledge base so 
that when the banks business policy on a customers withdrawal of money changes, 
all that needs to be done is to modify the affected policy rule rather than adding a new 
permission or modifying an existing permission. A simplified definition of role 
silver customer is described below, based on the role syntax given at appendix A. 

Name: silver customer. 

Role-Assigning Policy: salary_based_silver_customer(Certificates, Request). 
Authorizations: 

Request = [withdraw. Account, Amount] ], 

overdraw_policy(Certificates, Limit), 
withdraw_test(Limit, Account, Amount), 
withdraw_money( Account, Amount). // It is a method. 

// For simplicity, other permissions are omitted here. 

salary_based_silver_customer(Certificates, _) :- 

get salary (Certificates, Salary), // Its definition is omitted here. 

Salary > 20000. 

overdraw_policy(Certificates, 1000) :- 

time_with_the_bank_over_months(Certificates, 60). 

// For simplicity, its definition is omitted here. 
overdraw_policy(_, 300). 

withdraw_test(Limit, Account, Amount) :- 

balance_of_the_account(Account, Balance), 

Amount <= Balance + Limit. 

Besides the application-specific business logic on role permissions, the user-role 
assignment policy can also be captured in the knowledge base. If it is empty, roles 
must be assigned to users manually with business logic hard-coded into the system; 
otherwise, roles may be assigned to users automatically and dynamically, depending 
on whether the role assignment policies evaluate true. For a role that can be assigned 
to any user, the role assignment policy attribute is LfrueDin its definition. If a role 
assignment policy evaluates false for a given user, the role cannot be assigned to the 
user. For other roles that must be manually assigned to users, their user-role 
assignment policy attributes are EhullDby default. Furthermore, because a resource 
provider may trust only those digital certificates issued by particular Certificate 
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Authorities (CAs), the trust relationships between resource providers and CAs may 
also be captured in the knowledge base. 

There are several significant differences between our approach to Internet 
authorizations and others like PolicyMaker, KeyNote, and SPKI. First, a resource 
provider does not need to issue digital certificates to an Internet user before the user 
can access the resources controlled by the resource provider. The user may need to 
have a set of digital certificates issued by trusted third parties. Second, the userB 
presented digital certificates do not contain any access rights. A userB access rights 
are implied by the permissions of the roles assigned to the user based on the userB 
presented certificates. They will be used for a wide range of general purposes rather 
than specific requests for particular resources. Third, for security reasons, access 
control policies do not appear on the certificates in the form of credential conditions 
or whatsoever. Fourth, when either the access control policies or access rights change, 
our approach will not be affected. The separation of access rights and authorization 
policy from a userB digital certificates makes our approach very flexible. 



4 Automated Role-Assignment Using Digital Certificates 

Most RBAC systems assign roles to users manually and involve a lot of user -role 
administration. An approach has been proposed to dynamically map a user to 
predefined business roles, using the userB presented digital certificates issued by 
Certificate Authorities (CAs) and role-assigning policies pre-set by resource providers 
[11]. Because the user does not know about the role-assignment policy and multiple 
roles may have the required permission for a given userB request, various digital 
certificates will be requested to present to the resource provider [18], based on the 
evaluation of security policies and business logic associated with the required 
permission. 

There are two major differences between our automated role-assignment approach 
and that described in [11]. First, we adopt a non-deterministic approach due to the fact 
that the resource provider does not know which role should be dynamically assigned 
to a user for its current request. The non-deterministic role assignment is achieved by 
using a powerful backtracking mechanism. Second, our approach is more efficient by 
enforcing server side security policies on a client B machine remotely, which will be 
discussed later. 

The principle of separation of duties can be dynamically accomplished by not 
satisfying the policies on the assignment of conflicting roles to the same user 
simultaneously [20]. Alternatively, we can store the roles already assigned to a user in 
a database persistently, such that the candidate roles being in conflict with them will 
not be assigned to the user (see Fig. 1). If such a conflict does occur, the security 
manager will be informed and will take necessary measures as required. In this paper, 
we adopt the first approach due to its simplicity for implementation. 




A Knowledge-Based Approach to Internet Authorizations 



297 



Although a user may be assigned multiple roles, only some of them will authorize 
the users current request. For each role assignable to a user, if either it does not have 
a matching privilege for the userB current request or the business logic associated 
with the privilege evaluates false, the current role assignment will be backtracked 
automatically for alternative roles; otherwise, the userB current request is authorized. 
If all roles have been tried and none of them authorize the given request, the user will 
be denied. In our approach, a role-filtering sub-system is used to pre-compute the 
candidate roles assignable to a user for efficiency. 
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Figure 1. Automated Role Assignment Model 



5 A Knowledge-Based Approach to Internet Authorizations 

The architecture for our knowledge-based solution to Internet authorizations is 
described in Fig. 2. Given a userB digital certificates and the knowledge base on the 
server side, it does not make sense to ask the user to submit all of its digital 
certificates to the service provider for accessing the requested service, most of which 
are irrelevant to the current request. The user may not be willing to send them either. 

During the access control decision-making, if any of the following conditions 
holds, the Server Security Agent (SSA) will automatically redo the current user-role 
assignment and re-evaluate the business logic on a roleB associated privileges: 

• Some of the userB presented digital certificates have already been revoked 
by their issuing CAs, using either Certificate Revocation Lists (CRLs) or the 
Online Certificate Status Protocol (OCSP) for their validations. 

• Some certificates presented either have expired or are unacceptable to the 
SSA, based on the trust models described in the server-side knowledge base. 
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• The user refuses to send the requested digital certificates to the SSA. 

• Given a userB current request, the userB presented digital certificates do not 
satisfy the resource providers role-assignment policy. 

• The business logic on the assigned role B matching privilege evaluates false, 
based on the server-side knowledge base. 
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Fig. 2. Architecture for Knowledge-Based Internet Authorization Using PKI 



Given a userB request, there are several steps in sending the userB digital 
certificates to the SSA after the role-filtering sub-system identifies the candidate roles 
assignable to the user. First, the SSA finds a set of digital certificates required for 
assigning each of the candidate roles to the user, based on the certificate acceptance 
policies and trust models specified in the server-side knowledge base. Second, if some 
of those certificates have already been cached in a local directory and are still valid, 
the SSA only requests for other unavailable certificates from the user, who then sends 
back the requested certificates to the SSA according to the userB certificate-sending 
policy. Finally, the SSA caches the received certificates in its directory using 
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Lightweight Directory Access Protocol (LDAP). If the user refuses to send a 
requested certificate to the SSA, an alternative candidate role will have to be tried for 
its assignment to the user. 

UsersD certificates can be sent to the SSA by an application, a trusted applet 
digitally signed by the resource provider, or a plug-in from a trusted third party for the 
users Web browser. The user may configure its certificate-sending policy so that 
some of its certificates can be automatically sent to the SSA. The default 
configuration will inform the user of the SSAS request for them whenever it happens. 
If the users certificate-sending policy evaluates false, the user will not send the 
requested certificates; otherwise, they will be sent to the SSA. The client side may 
need a knowledge base that describes the clients certificate-sending policy and trust 
models, as shown in Fig. 3. 
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Figure 3. Knowledge-Based Certifieate Sending 



Our knowledge-based approach to Internet authorizations using PKI-based digital 
certificates and RBAC has several unique advantages over the traditional RBAC and 
other access control models. First, it enables users to specify security policies, trust 
models, and business logic in a configurable knowledge base separately rather than 
hard-coding them into the system or the role privileges. Second, based on digital 
certificates, it allows unknown Internet users to access resources more conveniently 
without having to register with the resource provider in advance. Third, the approach 
supports automated, non-deterministic role-assignment. Because the user-role 
administration in conventional RBAC systems has been automated, the security 
managers work is reduced to a minimum, and thus can be focused on the declarative 
specification of security policies, trust relationships between the service provider and 
various CAs. Finally, our approach provides a flexibility that any changes to the 
knowledge base will automatically drive the changes in an organizations security 
policies on its business processes, thus alleviating the security management. 
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6 Remote Policy Enforcement in Internet Authorizations 

The solution to reducing the traffic caused by runtime digital certificate exchange 
between a client and a server is minimizing the computation-intensive non- 
deterministic policy evaluation over the Internet. This can be achieved by 
downloading the server side knowledge base, which includes certificate acceptance 
policy and role-assigning policy, onto a clients machine whenever the client requests 
a service. 

However, the server side security polices will not be enforced unless, on the client 
side, the inference engine is trusted and the knowledge base used is the same as that 
from the service provider. One potential solution is generating the set of a clients 
digital certificates required for its current request and sending them to the server side 
for checking [25]. Because much of the backtracking has already been done on the 
client side during the finding of the set of the clients certificates that satisfy both the 
clients certificate sending policy and the server side certificate acceptance policy, the 
server side checking no longer needs to ask the client to send various digital 
certificates to it, and therefore the clients privacy is protected to some extent. 

To further reduce the traffic between a client and a server, we only need to 
download onto the clients machine a much smaller server-side knowledge base, 
which is relevant to the clients current request and can be pre-computed. Before 
discussing how to enforce security policy remotely and efficiently, we give the 
following notations first. Let R be the set of role, and KB the set of rule in the 
knowledge base on the server side, respectively. 

1. For a given role r, its privileges and role assignment policies are denoted by 
P(r), and RA(r), respectively. 

2. For a given privilege p in role r, its business logic is denoted by A{p,r), and 

the partial KB relevant to it is defined as K(p,r) = RA{r ) " A(p,r). 

3. For a given privilege p, the set of candidate role assignable to a user is 

defined as C(p) ^ { r \ r # R $ q # P(r) $ %u (p°u = q°u) }, where « is a 
most general unifier for p and q. 

4. The privileges of all of the roles in R, are defined as Priv{R) = " P(r). 

&r#R 

5. Let T be the trust model for the validation and acceptance of the clients 
digital certificates by the service provider. 

6. For a given privilege p, the partial KB relevant to it, is defined as follows: 

knowledge _base(p) = ( " K(p,r) ) " T. 

&f# Op) 

During the compilation of KB, for every role r and each privilege p in r, C(p) and 
K(p,r) are computed first, and finally knowledge _base(p) is computed. We store C(p) 
and knowledge _b as e(p) in a file whose name is denoted by F(p). 
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The clients service request now can be processed as follows. First, the SSA 
translates it into a corresponding privilege p in Priv{R). Then, the SSA sends the file 
F(p) to the client. After the client application receives the partial server-side 
knowledge base, it retrieves C{p) and knowledge _b as e{p) immediately, and tries to 
enforce server-side security policies based on the clients current request and 
available digital certificates. Finally, if the client is authorized for the current service 
request, it will return a set of the clients digital certificates that satisfy both the 
clients certificate-sending policy and the server-side security policies to the SSA; 
otherwise, an empty set will be returned. 



7 Conclusions 

In this paper, a knowledge-based approach to Internet authorizations is proposed by 
using PKI-based digital certificates and RBAC. After introducing a logic -based policy 
specification language, we present a policy-driven RBAC. Security policies are 
expressed as the rules in an application-specific, configurable knowledge base. An 
inference engine is utilized to evaluate policies, automatically assign roles to Internet 
users based on their digital certificates, and redo role assignment as required. The 
approach is capable of dealing with unknown Internet users and automatically 
managing user-role assignment by using digital certificates, which makes the 
administration of unknown Internet users □ access to services less of a burden to 
security managers. Finally, we discuss an efficient method of remote security policy 
enforcement by downloading a partial knowledge base that is relevant to a clients 
current request. 

As pointed out in [11,12,14,18,25], the expressiveness of a logic -based 
specification language allows security policies to be succinctly and uniformly 
specified. PROLOG is based on Horn-clauses, which is a subset of first order logic, 
and has a solid theoretical foundation for reasoning. Both policy evaluation and policy 
conflict detection can be easily done within the logic framework. Therefore, 
PROLOG is adopted as the generic policy representation language in this paper. 
However, a policy-authoring tool is strongly recommended for alleviating the policy- 
writing task of security managers. The tool should be capable of mapping a userB 
access request to a roleB privilege intelligently and refining a high-level security 
policy into an executable rule, so that security managers can focus on the 
specification of authorization policies, trust models, and role-assigning policies in the 
knowledge base. 
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Appendix A DThe Role Syntax 

<Role> :;= CNameiD <RoleName>DD 

[Role-Assigning Policy: □ {<Predicate> I [iiulln| aruenjDD 
[Authorizations: □ <Privileges> 

□□ 

<Role Name> ::= <Symbolic Atom> 

<Privileges> ::= <Privilege> 

<Privilege> ::= <Pattem><Policy>'^ {[,]SMethod>}*Dn 

Where, <Pattem> is a userB request pattern expressed by a logical term, <Policy> is 
a predicate defined by a set of PROLOG clauses, and <Method> is defined as an 
external function in models. 



Appendix B □ A Bank Example 

We use a simple example to demonstrate the ideas contained in the paper. It is 
assumed that a full-time student has already been issued an identity certificate by an 
accredited university, and has got a digital driving license issued by the Driving 
License Agency (DLA) after having passed both the theory and practical tests. The 
student wants to get the service of car rental or hotel reservation on the Internet, 
which requires the student to open an account in a recognized bank first to get digital 
credit certificates. The bank provides a set of E-services, including new account 
creation, normal bank account transactions. In the following, various kinds of policies 
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are modeled by PROLOG rules, and predicates are only simply defined due to space 
limitation. 

Name: account owners. 

Role-Assigning Policy: bank_account_ owners (Accounts, Certificates, Request ). 
Authorizations: 

Request = [balance] ], true, get_balance( Account, Balance ). 

// get bank account balance. 

Request = [deposit] ], true, deposit_money( Account, Amount ). 

Request = [withdraw. Account, Amount] ], 

overdraw_policy( Certificates, Limit), 
withdraw_test(Limit, Account, Amount), 
withdraw_money( Account, Amount ). 

// Request attribute certificates issued by the bank to the user, and collect bank 
account // numbers into Account numbers. If the user doesnffl have valid and 
acceptable 

// attribute certificate issued by the bank, it returns false. 
bank_account_owners( Accounts, Certificates, Request ) :- 

request_certificates( Certs ), // Its definition is omitted 
valid_and_accepted_certificates( Certs, Accepted Certs ), 

//collect valid and accepted certificates from Certs into Accepted Certs 
get_account_numbers( Accepted Certs, Accounts), 

// get account numbers of valid and accepted bank account attribute 
certificates 

bank_account_no( Request, Account ), 
member) Account, Accounts ). 
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Abstract. The review process is an important part of many everyday 
activities. We introduce the concept of trusted review for electronic data. 
The review process is performed using an insertable security device called 
a Trusted Reviewer. The Trusted Reviewer can be designed to satisfy 
high assurance evaluation requirements. We show how the Trusted Re- 
viewer can offer increased security in messaging, certification authorities, 
funds transfer, witnessing, and information downgrade. 



1 Introduction 

Computer systems and networks are an increasingly integral part of our every- 
day operations. As a result, we are becoming increasingly dependent on these 
systems. Another trend, relevant to this article, is that humans are becoming 
separated from computer processes as use of automation increases and comput- 
ers begin to undertake interactions between themselves on our behalf. As our 
traditional paper medium is replaced by electronic methods and computers be- 
come more pervasive, we are becoming further dis-associated from tasks and 
actions once under our control. With the many advantages of computerisation 
it is evident that these changes will be permanent with the “brave new world 
of ubiquitous computing” m- At the same time computer security incidents 
are widely acknowledged to be on the rise. There are many reports of attacks, 
for example, m Section 1] describes a number of successful attacks against well 
known organisations ranging from the Pentagon to NATO. Seemingly, we face a 
brave new world ridden with risks. 

There are several approaches to mitigate these problems. For example, se- 
curity evaluation and accreditation schemes are in place to provide a measure 
of confidence where required. Legislation exists for the provision of due care 

* This work was performed in part while with DSTO, and in part while with the ISRC 
at QUT. 
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with the handling of certain information m- Another approach is to use in- 
sertable security products like firewalls, intrusion detection systems, etc. Indeed, 
insertable security products can focus on securing particular applications or com- 
ponents rather than the entire system. An example along these lines is to use 
tamper resistant devices, such as smartcards, to provide key storage and perform 
cryptographic operations thus protecting cryptographic keys from exposure on 
a Personal Computer (PC). 

In this article, we consider a process familiar to humans that can be trans- 
ferred to the electronic world to improve security, namely, the process of review. 
This is achieved using an insertable security device which we call the Trusted 
Reviewer. This device may be used by a human to review data in a high assur- 
ance setting. Prototype devices are currently under development at the Defence 
Science and Technology Organisation. 

This article describes both the Trusted Reviewer (TR) itself and a number of 
its applications. In Section 2 we briefly outline a number of existing information 
security problems relevant to our discussion. In Section 3 we describe the Trusted 
Reviewer and outline possible applications in Section 4. Conclusions are given 
in Section 5. 

2 Hurdles: A Brief Survey of Existing Problems 

High development costs are making proprietary or custom hardware and soft- 
ware unattractive. As a consequence, commercial off the shelf (COTS) products 
are being incorporated into sensitive and critical processes. Even defence organ- 
isations, which require the most dependable systems, have acknowledged their 
increased reliance on the use of COTS products In |S| , attention is drawn 

to the contrast between the acceptance of software failures and normal consumer 
expectations of dependability with other products. Wide utilisation of COTS 
products and the on-going interconnection of systems has increased exposure to 
computer attacks in the following ways. 

— Decreases in diversity of available products have led to wider susceptibility. 

— Inter-connection has enabled remote attacks and increased the scope of at- 
tacks as infected computers and systems can be used to spread attacks. 

— Economic pressures for rapid development and system evolution has de- 
creased consideration of security issues. 

— The increased complexity of systems has made security harder to achieve. 

This list is by no means complete but highlights some of the issues now affecting 
computer security. 

The concept of trusted computing has largely remained within the military 
and research domains. The increased reliance on computer systems to support 
critical processes will drive this concept into the commercial sector. The first 
steps have already been taken in this direction, Without trusted plat- 

forms it may be necessary to employ external trusted devices to provide the 



^ the intentions of this group may not be as altruistic as they first appear HU 
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required process security and assurance. Separate trusted devices can run sim- 
plified programs for specific applications allowing users to keep their untrusted 
platforms for running comprehensive, full featured applications. The idea of using 
insertable security devices in systems has already generated some high assurance 
devices, such as [,31241, 34| . Some, recognising the vulnerabilities in general pur- 
pose computers, have proposed trusted devices for certain applications, such as 
voting m or smartcard PIN entry m- 

Baker ^ argues that the trusted system concept is still relevant in modern 
computer systems. She states that “Any system component is only as trust- 
worthy as the components upon which it depends.” This point has been widely 
overlooked, even with security products. For example, cryptography can be used 
to secure transmissions between two end points but it cannot secure the ends: 
indeed it imposes additional security requirements. End point attacks still have 
to be considered, but are all too frequently ignored. 

The following quote from Baker extends the idea of trusted components: 



“Applications derive their functionality and assurance from the strength 
of the underlying infrastructure; unfortunately dependability of that in- 
frastructure has largely been ignored.” 



This comment may seem to contradict the concept of insertable security. How- 
ever, we will show that it does not. 

We support efforts to improve the security of application and operating sys- 
tem software. However, with current technology, it would not be cost effective to 
develop and evaluate them all to the highest standards. Instead, we should try 
to isolate the security enforcement into small components, so that if we can trust 
only those modules, the entire system will be secure. A physical world analogy 
is that by securing the external doors, walls, and windows of a house, we reduce 
the need to have the same level of security on inner doors and walls. 



3 Trusted Review: Concepts 

Two established principles for the design of a secure system m are: 

Economy of mechanism: keep the design as simple and small as possible. 
Complete mediation: every access to an object must be validated. There must 
be no path to the object that bypasses validation. 

The traditional result of applying these rules is the Reference Monitor, which 
requires that a secure kernel at the heart of an operating system mediates access 
to every file. Although many systems contain a reference monitor, it has not 
proven to provide a very high level of security. 

If we assume that there is limited opportunity to improve commodity com- 
puting systems (including operating systems), then we need to look for a different 
way to apply these principles. The trusted reviewer described in this paper medi- 
ates access to a special private key. Access is based on decisions an authenticated 
user makes in response to the displayed document. 
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In a simple scenario, illustrated in Figure^ a user Alice has a trusted reviewer 
(TR) device on her desk, next to her PC. At the beginning of a session, she 
authenticates to the TR. When it is necessary for her to confirm some critical 
information, the PC transmits it to the TB0. The TR displays the information 
to Alice, who has an opportunity to read it carefully. If she decides to confirm 
the information, she presses the “Accept” button on the TR to indicate this. 
The TR then creates a pair of digital signatures for the information to indicate 
that it has been confirmed within the trusted environment. The first signature is 
calculated using Alice’s private key, and the second uses a private key belonging 
to the device itself. The signed information is then sent back to the PC. 



Alice’s 








Bob’s 






PC 


TI^ 




PC 





IT 



IT 



Fig. 1. Network topology for simple Trusted Reviewer scenario 



Alice can now email the (TR-signed) information to Bob. Bob’s email pro- 
gram can check the signature(s), and it informs him that it is valid. However, 
Bob is aware (possibly through bitter experience) that COTS computers cannot 
be trusted to any great degree. Before he relies on, or trusts, this signature he 
sends it to his own trusted reviewer. The TR verifies the signature, and displays 
the details of the signature and the document to Bob. Because the TR is not 
susceptible to threats like his PC, Bob is able to trust the TR’s display. 

This scenario illustrates the essential security functions of the TR: 



— Authentication of the user 

— Display of information to the useJU 

— Receiving an indication of the user’s confirmation 

— Generating a digital signature 

— Verifying a digital signature 

FigureElis a logical view of the TR’s internal functions and its external interfaces. 



^ Any convenient medinm such as USB, Ethernet, or SCSI could be used. 

® Trusted display and receipt of user’s confirmation constitute a “Trusted Path” in 
the terminology of 12^. 
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Fig. 2. Functional view of the Trusted Reviewer 



3.1 Authentication Mechanism 

It would be possible for the TR to use a variety of different authentication 
mechanisms. Here, we propose the use of a smartcard or similar token im for 
example] that requires entry of a PIN for activation. The smartcard is inserted 
into the TR (not the computer), and the PIN is entered directly into the TR. This 
means that a PIN need never be entered into the computei0( where untrustworthy 
software may have access to it). We suggest using public key cryptography to 
authenticate the user to the TR Ets this technology can then be used to apply 
digital signatures to reviewed data. With public key cryptography each entity 
has a public key and a private key. The public key is made available to all 
entities. The private key is protected from disclosure and use by anyone other 
than the rightful owner. We propose that the user’s smartcard contain their 
private signing key. 

The TR may present a challenge for the smartcard to sign or use other 
mechanisms to obtain some signed data from the smartcard. The TR must also 
have access to the associated public key. We do not outline a preference for the 
mechanism to achieve this in this article. However, we note that this can be done 
using TR loaded public keys or by employing Public Key Infrastructure (PKI) 
methods p. 

Whenever a user is able to insert a smartcard and enter the appropriate PIN, 
that user is said to be authenticated. 

3.2 Display 

We have explained that most commodity computers are vulnerable to malicious 
software. Thus, we cannot rely on these computers to display the actual contents 
of a document or file to us reliably. 

Some commercially available smartcard readers m have PIN entry systems which 

do not require the computer to process the PIN. 
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We solve this problem by arranging for the information to be forwarded to 
the TR for display. The TR may have its own built-in display mechanism, or by 
suitable arrangement of video cables and some switches, it is possible to use the 
computer’s monitor, as shown in Figure 0 




Fig. 3. Video and keyboard switching for the Trusted Reviewer 



It is important for the user to be confident that the display is an accurate 
representation of the information. For example, if the user is about to certify 
that the document contains no classified information, it may be important that 
it is not a Microsoft Word file containing some “Track Changes” information, as 
this would allow a recipient to undo some recent deletions. Similarly, if it were a 
contract, it would be important to make sure that the user can see every page, 
and all information on those pages, before they sign. For this reason, it may be 
appropriate for the TR to use a specialised markup format to indicate how the 
document is to be displayed. 

Providing the user with a reliable, complete, and easy-to-interpret display of 
the document’s contents is a difficult task. Initial implementations of the Trusted 
Reviewer have been limited to simpler document formats, such as plain text, 
RTF, and HTML. For perfect security, it would be necessary for the Trusted 
Reviewer to expose (or filter out) any steganographic content. This is, by 
definition, challenging, and the subject of continuing DSTO research. 

We can see that there will also be a need for a user to scroll or page through 
a long document. One possibility is to have dedicated keys on the TR to do this. 
An alternative would be to switch the PC’s keyboard, as shown in Figure 0 so 
that it could be used to operate the trusted reviewer. 



3.3 Signature Generation 

One of the attractive security features of some smartcards is that the user’s 
private signature key can never leave the card. This means that there is a high 
degree of certainty that the user’s signature can only be created by that card 
(assuming that the keys and algorithms are not weak, broken, or compromised). 
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However, this does not guarantee that the user has approved or seen the informa- 
tion being signed, or is even aware of signing events. There are three components 
involved in creating a digital signature: the private key, the algorithm, and the 
data to be signed. The overall security of the signature creation process is lim- 
ited by the security of each of these components. A smartcard can be used to 
secure the key and algorithmic processing, but it is not able to ensure that only 
appropriate information is signed. No matter what data is sent to the card, the 
card will securely create a signature for that data. 

We solve this problem by programming the TR so that it can only sign 
information after it has been reviewed and confirmed by an authenticated user. 
Now it may be possible to use similar software on a PC. However, because the 
TR is a rigorously evaluated embedded device, it will not be possible for any 
malicious software to bypass this mechanism in the TR. The same cannot be 
said for the PC environment. 

The user’s smartcard may sometimes also be used in an untrustworthy pro- 
cess, such as on the PC. It is necessary, therefore, to ensure that any signature 
created by a TR is clearly identifiable. We propose to solve this problem by 
having the TR append its own additional signature to that of the user. 

This implies that the TR needs to be an end-entity in the public key world, 
having its own identity, public-private key pair, and certificate. Also, it means 
that the private key needs to be stored securely inside the TR, or otherwise 
communicated securely to it from some central store. We propose that the TR 
would have its own smartcard locked (via some physically secure means) into 
place. 



3.4 Signature Validation 

The verification of digital signatures is subject to the attacks that we outlined 
for digital signatures themselves. Signatures can be validated on a PC, and 
the results displayed to the user. However, as indicated earlier, when a PC is 
vulnerable to potentially malicious code, we cannot trust what the PC says. 
Therefore, if we need to rely on a signature, it is important that the validation of 
that signature, and the display of the result, are both carried out in a trustworthy 
way. This motivates use of the TR for signature validation. 

To support validation it may be necessary for the TR to contain a root 
public key (a key from which all trust is referenced) in secure storage. There 
are a number of complex issues associated with public key infrastructures upon 
which the Trusted Reviewer will rely, such as the discovery of valid certificate 
paths. In this paper, we do not attempt to solve these problems. However, we 
do note that the TR does not need to be able to perform complex searches 
of directories; such tasks, as well as preliminary validation of certificates, can 
be delegated to the PC, with the results being forwarded to the TR for final 
verification. 
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3.5 Assurance 



In regards to security, we need to address the question of why we can rely on the 
trusted reviewer when we cannot rely on the user’s computer. There are really 
two questions here that need answering. 



Question 1: why is the TR implicitly more trustworthy? 

The TR is a far simpler device than a PC. It has a specific purpose and performs 
a small number of tasks. The TR would be an embedded device with all software 
in ROM and consist of a simplified operating system, with no disk drives or any 
other built in non-volatile storage. It would be limited to a single, well defined 
function. Hence it is feasible for it to be evaluated very carefully. In fact, we 
propose that EAL-7 (Evaluation Assurance Level 7 of the Common Criteria 
0) would be an achievable level. This level is the highest supported by the 
Common Criteria. This judgement is based on our experience with the evaluation 
of other devices to similar levels, f35l3H34ll2| . In comparison, a PC is composed 
of complicated hardware and software, none of which can be considered to be 
in a stable or static state. Evaluation is difficult at best, with only lower EAL 
levels attainable. 



Question 2: why can we trust a system composed of untrusted PCs 
and trusted reviewers? 



The function of the TR is to display the content to the user no matter what 
this content contains. Once the information is passed to the TR from the PC 
then the information can not be altered and can be considered to be in a static 
state. The content is displayed under the control of the TR to the user. The user 
is wholly responsible for judging whether this content is acceptable. If the user 
decides to accept the content then the TR will cover the information with its 
own digital signature before passing the information and the signature back to 
the PC. Similarly, a TR can be used to check a TR’s signature and the content it 
is associated with. Therefore the untrusted PCs do not affect the TR operatioii@. 



3.6 Threat Model 

In this section, we explain and summarise how the TR can offer improved secu- 
rity. The essential security-breach conditions that we aim to prevent are: 

1. Information being signed with a user’s (Alice’s) signature, without that user’s 
knowledge of what is being signed, and/or without their deliberate decision 
to make and be bound by that signature; or 

2. A user (Bob) being convinced that another user (Alice) deliberately chose 
to sign and be bound by a document, when this is not the case. 



® Of course, the PCs can cause a denial-of-service attack, but this is true whether or 
not the TR is involved. 
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The TR offers the following features: 

— Allows PCs to be virus-prone. Assume firstly that Alice’s computer contains 
malicious software. 

• If this software modifies the document before the signature is applied, 
Alice will detect this when she reads it in the trusted display. 

• If this software modifies the document after the signature is applied, the 
signature will not be valid. 

• If this software refuses to send the information to the TR, no signature 
will be created. (This may be a denial of service, but it doesn’t fit within 
our definition of a security breach.) 

• This software cannot obtain Alice’s or the TR’s private keys, nor cause 
any information to be signed with them, until it has been reviewed and 
physically accepted by Alice. 

Now, assume that Bob’s computer contains malicious software. 

• Bob’s computer may display information to Bob claiming that it has 
been signed by Alice. But Bob will not believe this unless the TR is in 
control of the screen. (The TR may use a LED or other device to indicate 
that the screen is presently trustworthy.) 

• Bob’s computer may not pass information to the TR when it should. 
This is another denial of service, but not a security breach as we have 
defined it. 

• Bob’s computer may modify the information before it reaches the TR. 
But then the signature(s) will not be valid, and the TR will indicate that 
the document has not been validly signed. 

• Bob’s computer may modify the information after the TR has displayed 
it. But Bob will already have seen the real information and that it was 
validly signed. 

— Allows communications between PC and TR to be open and unauthenticated. 
The TR does not trust the source of any communications. The user is re- 
quired to visually verify information before it is signed. 

— Allows user’s smartcard to be used in untrustworthy devices. If the user’s 
smartcard is used in a PC containing malicious software, a document could 
be signed with the user’s signature, without the user’s knowledge. However, 
such a document could not be signed with the TR’s private key, because this 
key is never made available outside the TR. Therefore, the recipient’s TR 
will not indicate that the document has been validly signed. 

— Protects the PINs of the users’ smartcards. Unless the users choose to use 
their cards in untrusted environments, we can guarantee that the PIN is 
never made available outside the TR. 

The TR does not solve all security problems. The security that it offers rests on 
a number of pillars. 

Public Key Cryptography 

The TR uses public key cryptography to create signatures. If the keys or algo- 
rithm can be broken, either by brute-force or other attacks, then the system will 
not be secure. 
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Public Key Infrastructure 

The TR relies on the security of its private keys, and of the root public key. If 
these can be compromised, the overall system will not be secure. 

User 

If the authorised user behaves irresponsibly, then the system will not be secure. 
Examples of irresponsible behaviour include habitually pressing the “Accept” 
button, without carefully reading the information displayed by the TR; and 
believing the reported validity of a signature if the TR is not in trusted displw 
mode. Another problem, is that the information displayed may be ambiguou^. 
However, this problem is not specific to the TR. 



4 Trusted Review: Applications 

4.1 High Assurance Signatures 

In the previous section, we described a high assurance signature scenario for the 
trusted reviewer. Such a system provides a recipient with a very high level of 
confidence that it not only came from the particular signer, but also that this 
signer deliberately confirmed that she would accept and be legally bound by the 
information that was displayed. This high assurance signature can be contrasted 
with existing systems which rely on operating system services to provide: 

— authentication of the user; 

— access and reuse control for the PIN or private key; 

— display of the information to the user; and 

— confirmation that the information should be signed. 

When an operating system vendor builds in features that allow automatic ex- 
ploitation of one or more of these services, the signature may not be very mean- 
ingful. Even the lay community is aware of the Melissa j7j and I-Love-You PI 
viruses: malicious software which transmit email from your account without you 
knowing about it. It would not be difficult to construct a virus which would 
create and append a valid digital signature to such emails. 



4.2 Certification Authority 

We have described some problems with current mechanisms for creating digital 
signatures. One important area where signatures are used is in the creation of 
digital certificates. Trusted authorities, known as Certificate Authorities (CAs), 
create and digitally sign certificates. The CAs signature attests to the correctness 
of the details within a certificate (usually linking an identity or authorisation to 
a public key value) . 



As an example of undesirable ambiguity, the verb cleave can mean “stick together’ 
or “break apart”. 
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It is normal for CA software to be loaded onto an existing (and relatively 
untrustworthy) operating system. Even if the CA software itself has been strin- 
gently evaluated, so that it only creates signatures for appropriate certificates, 
there is nothing to stop the operating system from accessing the CA’s private 
kejfl, or from providing inappropriate input to the CA software. 

For critical applications, it would be appropriate to use a TR as a CA work- 
station. This would have the advantage that no untrustworthy software could 
ever access the CA’s private key, or cause a signature to be created without the 
operator’s knowledge. 



4.3 Witnessing 

Many legal aspects of our civil society require the witnessing of documents and 
signatures IS]. For example, a person’s signature on their legal will needs to be 
witnessed by two other people. The major application is to prevent forgery and 
fraud. The witness may provide evidence regarding the signing event if it is later 
called into question or denied. With paper based witnessing of a signature, this 
usually means checking that a document doesn’t have blank spaces or alterations, 
and then watching a person make a mark on the page, before the witness applies 
their mark. The witness’s mark attests that they have observed this event. It does 
not require authentication of the signatory or careful review of the meaning of 
the document, as the witness is not bound by its contents. Currently, no method 
for electronic witnessing exists, although mi presents some requirements. 

The TR may be used to support a witnessing application in the following 
way. The signatory uses a TR to apply their digital signature to the reviewed 
information (as described in Section 14.1 (I in the presence of the witness. The 
witness can then use a TR to review the information and verify the associated 
signature. The TR can display the information to the witness and also the pres- 
ence of a valid digital signature. If the witness is satisfied by the results of this 
process then they digitally sign over the entire document and signature (or some 
fingerprint of this information) . 

With paper-based witnessing it is sometimes recommended that everyone 
uses the same pen (this strengthens the evidence that the signing was performed 
with everyone present). This could be achieved electronically by using a single 
TR device which applied its signature to each signature in turn. By including a 
trusted real-time clock within the TR, signatures could also be reliably times- 
tamped. This would provide additional benefits in witnessing applications, and 
possibly auditing and other non-repudiation services. 

4.4 Electronic Funds Transfer 

Banks and commercial organisations use dedicated Automatic Teller Machines 
and special purpose EFTPOS devices. Yet many banking operations can today 

^ Even if the key is stored on a smartcard, the OS could cause the smartcard to sign 
an inappropriate certificate, without the operator’s knowledge. 
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be performed over the Internet. Although there are many risks \Z7lh\ . banks (and 
their customers) appear to have decided that it is commercially worthwhile to 
offer (use) these services. If TR devices became prevalent, it might be appropriate 
for banks to require their use for fund transfer requests. Manninger m has 
proposed a similar system for Internet banking. 



4.5 Multilevel Security Information Downgrade 



The final application we describe in this paper is actually the one for which the 
TR was originally invented. Consider an organisation with two networks, one 
classified, say “Secret”, and the other one Unclassified. In an ideal situation, 
there would be no need to transfer information between these two networks. 
However, in reality, these information flows are required. 

From a confidentiality view-point, there are no problems with allowing in- 
formation to pass from the Unclassified to the Secret network (integrity and 
availability issues are outside the scope of this paper) . Transferring information 
from a Secret network to an Unclassified network is, however, potentially danger- 
ous. We assume that each network is comprised of COTS (untrusted) hardware 
and softwar^. Therefore, we need to cater for the possibility that there may be 
malicious software on the Secret network. Such software may insert Secret infor- 
mation inside what would otherwise be Unclassified files. If an operator transfers 
the file onto a magnetic medium, and then to the Unclassified network, we would 
have a security breach. 

Some “guard” systems use labels to indicate which files are 

suitable for passing from a Secret system, through a filter, to the Unclassified 
system. However, these labels are typically generated on untrusted platforms. 
The security therefore relies on the correct operation of an untrustworthy system. 
This is hardly a desirable situation. 

With these problems in mind, we propose that a TR could be used to attach a 
signed label to a file. This label could not be forged, nor created without a human 
user’s deliberate confirmation. A Guard (a sibling in the TR product range) 
would verify the signature of the label, and check that the classification within 
the label was appropriate before transferring it to the unclassified network. 

In FigureE] we see Charlie’s PC connected to the Secret network. He wants to 
send an Unclassified email to Dora, whose PC is connected to the Unclassified 
network. Charlie first creates the email, and then his PC sends it to his TR. 
The TR generates a “trusted display” of the contents of the message (including 
the label “Unclassified”), which Charlie is able to review. When he presses his 
“Accept” button, the TR signs the message with Charlie’s signature and its own 
signature, and returns it to the PC. 



® The security of the Secret network is provided by physical access control means, 
rather than any logical mechanism: e.g. only people with Secret clearances are allowed 
to be in the same room as the Secret network. 
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Fig. 4. Multilevel Security Downward Transfer Scenario 



The PC now forwards the message to the Guard via the email system. The 
Guard checks that the message: 

— has an “unclassified” label; 

— has been signed by an authorised user; and 

— has been signed by an authorised TR. 

After these checks are passed, the Guard is able to forward the message to Dora’s 
computer, again via the email system. 

Space limitations preclude a detailed discussion of the frameworks for man- 
aging authorisation. Readers will recognise that a supporting PKI could be de- 
signed with ease. A separate option might require more than one person on the 
Secret system to approve the release of information. 

5 Conclusions 

The concept of review is an important part of many of our paper processes. Until 
now there has been no secure electronic analogue. Unfortunately, software tech- 
nology does not currently allow vendors to deliver highly dependable products. 
The risks associated with the performance of many security-critical operations 
using commodity applications and operating system software are therefore un- 
acceptably high. We have shown that a new device, called the Trusted Reviewer, 
allows a number of the risks to be reduced to much more acceptable levels. 

The Trusted Reviewer provides authentication, review, and digital signature 
creation and validation functions. Because it is so simple in both function and 
design, it will be feasible to develop, evaluate, and certify the device to a high 
level, such as EAL-7 in the common criteria. As we have pointed out in this ar- 
ticle, a device like the Trusted Reviewer has applications in many areas, includ- 
ing Gertification Authorities (GAs), organisational messaging. Electronic Funds 
Transfer (EFT), witnessing, and inter-security-domain information transfer. The 
Trusted Reviewer can achieve this without limiting users’ access to commodity 
PGs running diverse applications on the shared network. 

The Defence Science and Technology Organisation is developing prototype 
Trusted Reviewers to explore and demonstrate a number of these issues. 
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Abstract. The major objective of this paper is to develop the network security 
modeling and cyber attack simulation that is able to classify threats, specify 
attack mechanisms, verify protection mechanisms, and evaluate consequences. 
To do this, we have employed the advanced modeling and simulation concepts 
such as System Entity Structure / Model Base framework, DEVS (Discrete 
Event System Specification) formalism, and experimental frame concept 
underlying the object-oriented S/W environment. Our approach is to show the 
difference from others in that (i) it supports a hierarchical and modular 
modeling environment, (ii) it generates the command-level behavior of cyber 
attack scenario, (iii) it provides an efficient model building environment based 
on the experimental frame concept, and (iv) it supports the vulnerability 
analysis of given node on the network. Simulation test performed on sample 
network system will illustrate our techniques. 



1 Introduction 

For all practical purposes, international boundaries have been eliminated in 
cyberspace. The growth of information technology and almost universal access to 
computers has enabled hackers and would be terrorists to attack information systems 
and critical infrastructures worldwide [1]. A cyber attack is an attack on a computer 
and network system, consisting of computer actions (e.g., remote or local connection, 
computer file access, program execution, etc.) to compromise the secure operation of 
the computer and network system. As we increasingly rely on information 
infrastructures to support critical operations in defense, banking, telecommunication, 
transportation, electric power and many other systems, cyber attacks have become a 
significant threat to our society with potentially severe consequences. 

A computer and network system must be protected to assure security goals such as 
availability, confidentiality and integrity. That is, the deep understanding of system 
operation and attack mechanisms is the foundation of designing and integrating 
information protection activities [2]. Therefore, the advanced modeling and 
simulation methodology is essential for classifying threats, specifying attack 
mechanisms, verifying protective mechanisms, and evaluating their consequences. 
That means, we need to establish the advanced simulation methodology for analyzing 
the vulnerability, survivability, etc. of given infrastructure as well as the expected 
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consequences of successful attacks and the effect of the defense policy. Such a 
methodology may be able to support to find unknown attack behavior if more refined 
models are allowed. Actually, many fields use modeling and simulation technique to 
support the analysis and insight into building better systems, but the field of 
information protection has not produced significant research results to date. Perhaps 
this is due to the extreme complexity of the cyber attack and defense problem, the 
enormous size of the search space, the lack of good data on attacks and defenses, the 
inability to derive consequences in a systematic way, or the lack of a coherent view of 
information protection [3]. 

In order to overcome these limitations, we have proposed the network security 
modeling and cyber attack simulation by employing the advanced modeling and 
simulation concepts such as System Entity Structure / Model Base framework, DEVS 
formalism, and experimental frame concept [4] underlying the object-oriented S/W 
environment. Our approach is to show the difference from others in that (i) it supports 
a hierarchical and modular modeling environment, (ii) it generates the command-level 
behavior of cyber attack scenario, (iii) it provides an efficient model building 
environment based on the experimental frame concept, and (iv) it supports the 
vulnerability analysis of given node on the network. 

The remainder of this paper is organized as follows. First, it briefly reviews a 
background on conventional information security modeling approaches. Then, it 
proposes a model-based approach for designing the network security modeling and 
cyber attack simulation system. This is followed by the case study. 



2 Background on Network Security Modeling and Simulation 

Many fields use modeling and simulation to provide analysis and insight into building 
better systems, but the field of network security has not produced significant research 
results to date. Since we are modeling very complex phenomena involving mixes of 
human behavior and interactions of complex interdependent systems with time bases 
ranging from nanoseconds to years. There is no widely accepted information physics 
that would allow us to make an accurate model, and the sizes of the things we are 
modeling are so large and complex that we cannot describe them with any reasonable 
degree of accuracy. Also there are no consensus on how to describe a network 
security system, and no set of commonly accepted metrics upon which to base a set of 
measurements to be used for simulation. Despite of these difficulties of network 
security modeling and simulation, it actually provides much of the best justification 
for actively pursuing it. The high cost of running real-world attacks, the limited extent 
to which they exercise the space of actual attacks, and the high potential for harm 
from a successful attack conspire to make some other means of analysis an imperative 
[3]. 

Cohen [3], who was a pioneer in the field of network security modeling and 
simulation, interestingly suggested a simple network security model which is 
composed of network model represented by node and link, cause-effect model, 
characteristic functions, and pseudo-random number generator. However, cyber attack 
and defense representation which is based on cause-effect model [3] is so simple that 
practical difficulty in application comes about. Amoroso suggested that the intrusion 
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model [6] should be represented by sequence of actions, however, the computer 
simulation approach was not considered clearly. Wadlow [7] suggested an intrusion 
model with four classified states such as COOL, WARM, HOT, and COOLDOWN, 
but it failed to go beyond the conceptual modeling level. Finally, Nong Ye [2] 
noticeably proposed a layer-based approach to complex security system, but failed to 
provide a practical modeling and simulation techniques of the relevant layers. Nong 
YeB approach is that the high layers among four such as objectives, conceptual, 
functional, and physical level can be represented in a simple model, and have rapid 
simulation run with minimal number of parameters, however, it is too simple to be 
meaningful. In the low layers, it is represented in complex model with accuracy, but it 
requires the massive amount of data and enormous amount of simulation time so that 
it is hard to model. To deal with these problems, this paper attempts to provide an 
appropriate modeling approach through functional level (command-level) access to 
cyber attack, and provide a network security model and its simulation by applying a 
discrete event simulation technique. 



3 Proposed Approach 

The overall design methodology for the network security simulation systems can be 
better understood by organizing them within a set of layers that characterizes its 
design structure as shown in Fig. 1. Layer I provides a hierarchical and modular 
modeling and simulation S/W environment. Layer II supports the command-level 
dynamic model construction based on the experimental frame concept. Finally, the 
network security simulation system can be accomplished in the Layer III. 




Fig. 1. Layered approach for network security simulation systems 
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3.1 Layer I: SES/MB Framework 

This layer relies on the object-oriented programming environment to provide the 
ability to specify models that populate the model base that it organizes. The properties 
of this lowest layer make it possible to realize similar properties at the higher layers. 
The SES/MB framework [4] as a step toward interfacing the dynamic-based 
formalism of simulation with the symbolic formalism of AI can be suitably adopted 
for this layer. It basically consists of a system entity structure (SES) and model base 
(MB). The SES represents the knowledge of decompositions, taxonomies, coupling 
specification and constraints. Hierarchical and modular simulation models may be 
constructed by applying the transformation operation to the SES. The model base 
contains models that are procedural in character, expressed in discrete event system 
specification (DEVS) formalism, a theoretically well-grounded means of expressing 
modular discrete event simulation models. A DEVS is a structure [4,5]: 

M = < X , S , Y , 5int , 5ext , X , ta > 



where X is the set of input event types, S is the sequential state set, Y is the set of 
external event types generated as output, dint (Pext ) is the internal (external) transition 
function dictating state transitions due to internal (external input) events, X is the 
output function generating external events as the output, and ta is the time advanced 
function. 

Fig. 2 shows SES of the network security model for information infrastructure. 
NETWORK, which is the root entity, can be classified into ATOMIC with single 
network and COMPOSITE with multiple networks. ATOMIC is divided into 
COMPONENT for security factors consideration and SECURITY- AG ENTS for 
multiple entity. COMPONENT is again divided into 0/S and several SERVICES. 
Besides, it can be divided into more detailed subsystems such as BORDER, 
INFRASTRUCTURE, BUSINESS, DESKTOP. In parallel, SECURITY- AGENTS 
can be divided into ATTACKER which generates attack scenario and ANALYZER 
which analyzes the simulation results. COMPOSITE is divided into more detailed 
levels such as NETWORKS, a multiple entity, which can link multiple network 
groups and LINK which links them all. Fig. 3 shows a pruned entity structure (PES) 
obtained by applying the pruning operation into the SES. A final simulation model in 
each entity of the PES can be established by attaching the dynamics models discussed 
next. 
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Fig. 2. SES representation of network systems 



COMPOSIT. 
NETWORK(SAMPLE) 
I . , 

composite-dec 



ETHERNET. 
BUS. LINK 



ATOMIC. 

NETWORK(R-ABC) 

atomic-dec 

ROUTER.BORDER.COMPONENT 

process-dec 



SOLARIS 2.5.0/S PACKET FILTER. 

SERVICE 



ATOMIC. 

NETWORK(R-D) 

atomic-dec 

ROUTER.BORDER.COMPONENT 

process-dec 



S0LARIS2.5.0/S PACKET FILTER. 

SERVICE 



COMPOSIT. 

NETWORK(D) 

composite-dec 

I 

PTE.BUS. ATOMIC 

LINK NETWORK(Dl) 

I 

atomic-dec 

MS.DESKTOP.COMPONENT 

process-dec 



WINNT.O/S E-MAIL. WEB. 

SEVICE SERVICE 



COMPOSIT. 

NETWORK(ABC) 



ATOMIC. 

NETWORK(D3) 



PTE.BUS. ATOMIC. ATOMIC. ATOMIC. COMPOSIT COMPOSIT. 

LINK NETWORK(G-A) NETWORK(G-B) NETWORK(F-C) NETWORK(A) NETWORK(C) 



atomic-dec * 

GATEWAY.BORDER.COMPONENT 
process-dec 
I ^ 1 

S0LARIS2.5.0/S PACKET FILTER. 

SERVICE 



FDDI.RING. ATOMIC ATOMIC. 

LINK NETWORK(Al) NETWORK(A4) 

atomic-dec 

MS.DESKTOP.COMPONENT : 
process-dec 



LINUX.O/S E-MAIL. WEB. 

SEVICE SERVICE 



Fig. 3. A PES example 




Network Security Modeling and Cyber Attack Simulation Methodology 



325 



3.2 Layer II: Component, Attacker, and Analyzer Model Design 

In this layer, the command-level component modeling can be constructed on the basis 
of the experimental frame concept. Although a network model can be tested in a 
stand-alone fashion, it really does not ttome to lifeDuntil it is coupled with modules 
capable of providing it input and observing its output. Thus, the experimental frame 
concept [4] may be suitably utilized to couple with a given model (network model), 
generates input external events (cyber attack commands), monitor its running 
(consequences), and process its output (vulnerability). Fig. 4 depicts the modeling 
approach with the experimental frame module underlying SES/MB framework. 

In Fig. 4, Attacker inputs planned commands one by one into Network as well as 
Analyzer. Simulation proceeds by Networks responding to Attacker as well as 
Analyzer. If enough data are collected for analysis. Analyzer terminate simulation by 
sending stop command to Network and Attacker. Then it analyzes each components 
vulnerability through statistical procedure on the collected commands and attack 
results. A detailed modeling method can be illustrated as follows: 




- command-level(packet-based) message 

- random generation capability 

- learning capability 



Fig. 4. Network security modeling approach 



• Network Component Modeling 

As described in the preceding section, network component model comprises various 
services such as Telnet, E-mail, Ftp, Web, and Packet Filtering. Dynamics of these 
component models can be represented in various ways according to their respective 
state variables such as service type, H/W type, and 0/S type, etc. Fig. 5(a) is a typical 
example of DEVS representation of component model. In Fig. 5(a), the external 
transition function processes the external input through the in port by applying 
command-table represented in pre/post-condition when phase is passive. During the 
procedure, it remains in busy state. On the other hand, the internal transition function. 
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when phase is busy, is converted to passive and the output function delivers processed 
results in packet through out port. 



— Component Model 

State variables 

Service-type, H/W-type, 0/S-type 
Registered-User-list, Queue-size, etc. 

external transition function 

case input-port 
in: case phase 

passive: execute command-table(command) 
hold-in busy processing-time 
busy : continue 

else: continue 

internal transition function 

case phase 
busy: passive 

output function 

case phase 

busy: send packet(result) to port out 



(a) Network component model 



Attacker Model 

State variable 

scenario-type, target-host 

external transition function 

case input-port 
in: case phase 

passive: next command := scenario-table 
hold-in active attacking-time 
active : continue 
else: continue 

internal transition function 

case phase 

active: passive 

output function 

case phase 

active: send packet(command) to port out 



(b) Attacker model (c) Analyzer model 



— Analyzer Model 

state variable 

num-attack, num-success-attack, vulnerability 

external transition function 

case input-port 

in: store result-table(command, states) 
else: continue 

internal transition function 

case phase 

active: passive 

output function 

case phase 

active: analyze result 



Fig. 5. DEVS representation of network security models 
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Based on this basic behavior model, command-level modeling can be 
accomplished by grouping and characterizing of commands that are used in various 
services. Table 1 shows an example of command-level modeling using pre/post- 
condition representation in Unix. Here pre-condition represents the condition for 
executing the command, output represents the results by command execution, and 
post-condition represents the changed properties after command execution. For 
example, pre-condition for the execution of LfmdirD command is to confirm the 
emptiness of the directory for deletion, output should be a directory deletion, and 
finally as a post-condition, the directory property should be changed. 

Table 1. Pre/post-condition representation of Unix commands (partially-shown) 



Command 


Pre-condition 
(current states) 


Output 


Post-condition 
(next states) 


more 


- 


Brows of page 

through a text file 


- 


pwd 


- 


Return working dire- 
ctory name 


- 


rmdir 


Check the file exist- 
ence 


Remove directory en- 
tries 


Change directory attr- 
ibutes 


cd 


Check the file exist- 
ence 


Change working dire- 
ctory 


Change directory attr- 
ibutes 


vi 


Check the file exist- 
ence 


Display or edit file 


Change file attributes 


mv 


Check the file exist- 
ence 


Move files 


Change file attributes 


rm 


Check the file exist- 
ence 


Remove file entries 


Change file attributes 


chmod 


Check the file exist- 
ence 


Change the permiss- 
ion mode 


Change permission 
attribute 



• Attacker Modeling 

The attacker model outputs a sequence of attacking commands according to its 
attacking scenario. The basic mechanism that produces this behavior is the Qiext 
command ~ scenario-table Dand Chold-in active attacking-time Dphrase in the external 
transition function shown in Fig. 5(b). This phrase returns the model to the same 
phase, active after each external transition and schedules it to undergo a next 
transition in a time given by attacking-time. Just before the internal transition takes 
place, the output of next command is proceeded by the pre-defined scenario table. 

• Analyzer Modeling 

The analyzer model is designed to gather the statistics and analyze the performance 
index such as the vulnerability of each component on given network. For the 
simulation convenience, we have defined the component vulnerability as the number 
of successful attacks divided by the total number of attempted attacks. To do this, the 
analyzer stores commands that arrive at its in port on the result table as shown in Fig. 
5(c). 
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3.3 Layer III: Network Security Simulation System 

Fig. 6 shows the overall methodology using the SES/MB. Phase I represents the 
conceptual specification stage, in which the decomposition, taxonomies, coupling 
specification and constraints of given information network system can be specified by 
SES. In Phase II, the network component models as well as the cyber attack, defense, 
and consequence models can be built and saved into MB. In phase III, the simulation 
model may be constructed by integrating the dynamic models in MB along with the 
network structure of the SES so that the cyber attack simulation can be performed. 
Finally, the simulation result can be analyzed in Phase IV so that the security 
characteristics and policies of each network component may be evaluated. 
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Fig. 6. Overall methodology 
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4 Case Study 

This section examines the feasibility of the proposed methodology through the case 
study on the sample network. Fig. 7 shows a sample network for simulation test. It 
includes LAN with client and server computers, topology like ring, bus, etc., and 
WAN with multiple LAN via router or gateway on Internet. In addition, each node 
may be connected to attacker model, thus any node can generate packet. These 
packets can move to destination node through node models, topology models, and/or 
router models. Node model which receives packet responds in the same way after 
conducting commands that are received in the packet. Due to the space limitation, this 
case study will provide only an example of simple scenario as follows: How to 

access to a system with no user account by acquiring general user account through 
SYN flooding, IP spoofing, and old bugs in SUN O/S vl.4.x [8,9] 




Fig. 7. Simulation model example 

Table 2 illustrates the simulation results from cyber attack scenario to acquire 
general user account. Here, fTimeDmeans a simulation run time, and [Node Dsignifies 
the name of the nodes showing simulation result and IP address. LWhat □signifies the 
command generated from node or command put in node or processed result. 
/Remarks Dprovides the explanation for iWhatGLet us look at simple examination of 
cyber attack simulation. First, each of the commands from cyber attack scenario starts 
from attacker model, moves to destination node with packet via Link, Router, and 
Gateway model. Destination node again delivers command result to attacker node. In 
Table 2, Attacker attacks Max node with SYN flooding and the system of Max 
downs. Attacker disguises its source address with MaxS IP address and sends a 
command to Kant Bhowmount 203.253. 146. 169Gon packet. Due to KantB system 
bug, input command is performed and Kant delivers the result to Attacker B 
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(disguised Max address). By using his disguised address, Attacker performs 
consequential commands Etkiount 203.253. 146. 169:/usr/foo[,] Bcho prayccc: 
1230:10001:1::: » passwdC,] Echo 192.168.1.20 » .rhostsD and succeeds in 
acquisition of his own account. Finally, Attacker sends to Kant ffllogin 
203.253.146.169Dcommand by using his own account successfully. 



Table 2. Simulation trajectory: EScenario of general user account acquisitionD 



Time 


Node 


What 


Remarks 


0 : 0 


Attacker 

(192.168.1.20) 


S) 192.168.1.20 
SYN flooding 
203.253.146.149 


SYN flooding attack 


0 : 2 


Max 

(203.253.146.149) 


SYN flooding 203.253. 
146.149 


System down 


0 : 9 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
showmount 203.253. 

146.169 


Showmount command 


0 : 11 


Kant 

(203.253.146.169) 


showmount 203.253. 

146.169 

Processing OK! 1 1 


Command processed and 
reply to 203.253.146.149 


0 : 16 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
mount 203.253.146.169: 
/usr/foo 


Mount command 


0 : 18 


Kant 

(203.253.146.169) 


mount 203.253.146.169: 
/usr/foo 

Processing OK! ! ! 


Command processed and 
reply to 203.253.146.149 
- Increased Mount Vul- 
nerability 


0 : 23 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
cd /foo 


Cd command 


0 : 25 


Kant 

(203.253.146.169) 


cd /foo 

Processing OK! ! ! 


Change directory to /foo 
and reply to 203.253.146. 
149 


0 : 30 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
Is aig 


Ls command 


0 : 32 


Kant 

(203.253.146.169) 


Is aig 

Processing OK! ! ! 


List up ==> -alg 

Reply to 203.253.146. 

149 


0 : 37 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
echo prayccc: 1230: 1000 
1:1::: » passwd 


Echo command 


0 : 39 


Kant 

(203.253.146.169) 


echo prayccc: 1230: 1000 
1:1::: » passwd 
Processing OK! ! ! 


Increased user number 
Reply to 203.253.146. 
149 


0 : 44 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
Is aig 


Ls command 
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Table 2. Simulation trajectory: EScenario of general user account acquisition n(continued) 



Time 


Node 


What 


Remarks 


0 : 46 


Kant 

(203.253.146.169) 


Is aig 

Processing OK! 1 1 


List up ==> -alg 

Reply to 203.253.146. 

149 


0 : 51 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
su prayccc 


Su command 


0 : 53 


Kant 

(203.253.146.169) 


su prayccc 
Processing OK! ! ! 


Changed user ID to 
prayccc and reply to 203. 
253.146.149 


0 : 58 


Attacker 

(192.168.1.20) 


S) 203.253.146.149 
echo 192.168.1.20 » 
.rhosts 


Echo command 


1 : 00 


Kant 

(203.253.146.169) 


Echo 192.168.1.20 » 
.rhosts 

Processing OK! ! ! 


Increased rhost number 
Reply to 203.253.146. 
149 


1 : 5 


Attacker 

(192.168.1.20) 


S) 192.168.1.20 
rlogin 203.253.146.169 


Rhost command 


1 : 7 


Kant 

(203.253.146.169) 


rlogin 203.253.146.169 
Processing OK! ! ! 


Command processed and 
reply to 192.168.1.20 


1 : 12 


Attacker 

(192.168.1.20) 


S) 192.168.1.20 
Bye 


Finished 


1 : 14 


Kant 

(203.253.146.169) 


Attack Succeeded! ! ! 


Attack succeeded and 
reply to 192.168.1.20 



Fig. 8 shows screen copy of SECUSIM system, a network security simulation 
system under current implementation. SECUSIM is implemented on the basis of 
MODSIM III [10] and enables a simulation of various attack patterns against various 
network components. Users can set up initial conditions for simulation by using 
windows of each node. They can also try to test various cases by attaching attacker 
and analyzer to any particular node. Procedures of simulation can be checked by the 
packet-based animation and more detailed procedures can be checked through given 
windows. The simulation result can be represented in the total number of attacks and 
successful attacks on each node analyzed in analyzer model, and the vulnerability 
value. 
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Fig. 8. Implemented cyber attack simulation system: [SECUSIMD 



5 Conclusions 

This study has discussed so far the network security modeling and cyber attack 
simulation methodology that can classify threats, specify attack mechanisms, verify 
protection mechanisms, and evaluate consequences. It has employed the advanced 
modeling and simulation concepts such as SES/MB framework, DEVS formalism, 
and experimental frame concept underlying the object-oriented S/W environment. 
Our approach in this work is different from others in that (i) it supports a hierarchical 
and modular modeling environment, (ii) it generates the command-level behavior of 
cyber attack scenario, (iii) it provides an efficient model building environment based 
on the experimental frame concept, and (iv) it supports the vulnerability analysis of 
given node on the network. As normal and attack activities are systematically 
organized, understood, and captured in our model-based approach for the network 
security system, information protection techniques may be designed more efficiently 
to cover attacks at various levels and scales of the system for layered, complimentary 
defense mechanisms. We leave here future further studies for intelligent attacker 
model, distributed simulation, and vulnerability. 
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Abstract. Denial-of-service (DoS) attack is one of the most malicious Internet- 
based attacks. Introduction of cryptographic authentication protocols into 
Internet environment does not help alleviate the impact of denial-of-service 
attacks, but rather increases the vulnerability to the attack because of the heavy 
computation associated with cryptographic operation. Nevertheless, many 
Internet security protocols including SSL/TLS protocol do not consider this 
aspect. We consider this overlooked issue in authentication protocol design, and 
propose an effective countermeasure applicable to authentication protocols like 
SSL/TLS protocol which adopt public-key based encryption to authenticate the 
server to the client. 



1 Introduction 

Recently, denial-of-service (DoS) attacks have become a growing concern as Internet 
services have been used in more aspects of human life. Many things in human life, 
turned out to have their counterpart in the Internet world: the DoS attack would be 
one example. In this paper, we focus on the most typical DoS attacks which may be 
called connection depletion attacks or resource clogging attacks', an attack in which 
an attacker seeks to initiate and leave unresolved a large number of connection 
requests to a Web server, exhausting its resources and rendering it incapable of 
servicing legitimate connection (or service) requests. SYN flooding attack in TCP/IP 
networks is the most well known example of this kind [Cert96, Fred99]. This attack 
exploits a weakness in the TCP connection establishment protocol. Attempting to 
establish a TCP connection, the client sends the server a SYN message. In response, 
the server sends a SYN-ACK message, and prepares the connection by allocating 
buffer space. The client then finishes establishing the connection by responding with 
an ACK message. After this sequence, both entities can exchange the service-specific 
data. The attacker, however, does not follow the above sequence of messages. He 
simply fails on purpose to send the third message, namely ACK to the server, leaving 
the session half-open. The attacker may initiate large amounts of SYN messages 
simultaneously, causing the server to be unable to handle the legitimate connection 
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requests. A detailed analysis of this attack and possible remedies are described by 
Schuba et al. [Schu97], 

Using an authentication protocol in Internet environment is orthogonal to 
prevention of DoS attacks. Authentication protocols themselves do not help prevent 
denial- 0 f-service attacks but instead may give rise to another environment for denial- 
of-service attacks. Usually to run an authentication protocol, the involved entity has to 
assign to it a particular session and some memory to keep relevant data resulting from 
message exchanges and related computation during the execution of it. Thus, although 
the notorious SYN flooding attacks can be minimized through careful design and 
operation of the Internet communication systems, the introduction of authentication 
protocols just opens up another door to similar denial-of-service attacks. 

This problem concerning authentication protocols and DoS attacks is well 
understood and a lot of previous work is invested to address it; a detailed survey of 
the related work can be found in [ANLOl, LNAOO]. The most well studied and 
promising approach to date seems to be for the server to use cookies against a 
potential attacker. The concept of cookies for use in the context of client-server 
transactions started from CNetscape Cookie Din 1994 as part of the feature set of 
Netscape Version 1.1 [Laur98]. Since then, most Web browsers including Microsoft 
Explorer adopted cookies. 

Cookies are pieces of information generated by a Web server and stored in the 
users computer, ready for future access [Scho99]. Basically the same concept of 
cookies started to be used to thwart DoS attacks on cryptographic protocols, the first 
example of which seems to be Photuris protocol by Karn and Simpson (most recent 
version 1999 [KaSi99] but originally published 1995). Several Internet security 
protocols followed this trend, including SKEME [Kraw96], OAKLEY [Orma98]. The 
basic idea of cookies in these protocols is as follows. When a client attempts to make 
a connection the server sends back a cookie which is a function of a secret known 
only to the server and other information unique to the particular connection. At this 
stage the server stores no state for this request. The client needs to return the cookie in 
the next message and its validity can be checked by the server from the information 
sent and its secret. The idea is to ensure, before investing significant resources, that 
the client is making a unique request for connection. This technique addresses the 
denial of service attacks in which the adversary sends random connection requests. 

The benefits of stateless connections in the beginning of an authentication protocol 
were recognized by Janson et al. [JTY97] in the KryptoKnight protocol suite, and this 
concept was generalized by Aura and Nikander [AuNi97]. Their idea is to make the 
client store all the state information required by the server and return it to the server 
as necessary with each message sent. In this way the server need not store any state 
information. The cookie approach can be considered a special instance of the stateless 
connection approach in the sense that a cookie generated by the server can contain a 
session specific information, is stored in the client system, and later delivered back to 
the server to be verified. 

A cryptographic puzzle for the client to solve to initiate a connection with the 
server is another approach to solving DoS attack problems. Dwork and Naor 
[DwNa98] first presented this concept in the context of electronic junk mailing, and 
later fuels and Brainard [JuBr99] presented a simpler client puzzle for the server to 
combat TCP SYN flooding attacks. The same concept was further developed by Aura 
et al. [ANLOl] to address DoS attacks against authentication protocols. In this 
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scenario, the server in an authentication protocol can ask the client to solve a puzzle 
before the server creates a protocol state or computes expensive public -key related 
computations. In this way, the puzzle helps improve the DoS-resistance of an 
authentication protocol. 

It can be seen that each of the countermeasures against DoS attacks that we have 
described carries some cost. If cookies are used as an initial stage in an authentication 
protocol then additional message exchanges are usually required; this can be a 
significant overhead in some applications such as the limited signalling channels in 
mobile communications. Making a protocol stateless may require significant changes 
to the protocol structure and also increases storage and bandwidth requirements on the 
client side. Finally the use of cryptographic puzzles imposes a computational burden 
on both client and server as well as requiring additional message exchanges. 

In this paper, we propose a new countermeasure against DoS attacks for client- 
server security protocols in which the client authenticates the server by sending a 
random nonce encrypted under the public encryption key of the server. Such protocols 
include SSL/TLS [RFC99], SKEME [Kraw96], and the authentication and key 
agreement protocol of the PACS (Personal Access Communication System), one of 
the six PCS standards in North America [Bell94], [JTC94]. 

Our approach is on the same line of Aura and NikanderB stateless connection 
concept in that both approaches purport to make the cryptographic protocols 
themselves more robust against the attacks. Our approach has something in common 
with the client puzzle concept in that both use some cryptographic mechanisms to 
combat the DoS attacks, but differs in that our method can apply and be integrated 
directly into the authentication and key-establishment protocols themselves. This 
provides a mechanism for the design of more robust protocols. Our scheme requires 
only a minimal overhead on both the client and the server. The only limitation of the 
new method is its usage applies only to a specific type of authentication protocols as 
stated earlier. 

Notation 

Throughout the paper, symbols A and B will denote the identities of the client and the 
server. Symbols like denote a random number or nonce generated by principal X. 
The private and public keys will be written as and , respectively. The 
encryption of some message under key K will be denoted by {•(j^-and the digital 
signature under key of some message under XB private key by {•}&'■ The hash 
operation of some message will be denoted by hash(») or H(») . 



2 Server Authentication and Random Numbers 

To authenticate the server with any cryptographic challenge-response mechanism, the 
client chooses a random number and sends it to the server. According to the way this 
random challenge is handled, we may have two different methods of authentication. 
The first is that the client can send it in the clear and then the server signs over it with 
its own private key. The corresponding certified public verification key is available 
publicly and so the client can check whether the signature was generated by and came 
from the server. The unpredictability and randomness of the random challenge 
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guarantees the required freshness of the signature: i.e., the server has generated the 
signature for the current session, not for another old session. 

The second alternative is to encrypt the random number under the public 
encryption key of the server before delivery to the server. The authentic server is then 
the only entity to be able to retrieve the random number from the ciphertext. The 
servers response to the client with the decrypted random number provides the 
authenticity of the servers identity. 

Each of the above two schemes has its own strengths and weaknesses. As far as 
denial- 0 f-service attack is concerned, however, the latter method is preferable. This is 
because in the latter method the random number from the client is not just a random 
number but an encrypted message thereof, which may be exploited to accommodate a 
countermeasure against the DoS attack. The basic idea of the countermeasure is to 
implant a cryptographic salt or a random number chosen by the server in the public- 
key encryption operation by the client. That is, the client is required to encrypt a 
random nonce which he received from the server as well as his own fresh nonce. This 
is quite an unusual usage of random nonce encryption in public -key based 
authentication protocols. On receipt of the encryption message of random nonces, the 
server is able to check whether the message has been formed correctly since it leads to 
the successful retrieval of the servers random nonce after decryption only when the 
message has been formed correctly. 

Figure 1 depicts this concept in more detail. 




Fig. 1. A random number can be used as a kind of cryptographic salt to combat the DoS attack. 



In the above figure, we assume that the client authenticates the server by sending the 
second message which is encrypted under the servers public encryption key, Kq . 
Furthermore, it should be noted that the first two messages just comprise a part of an 
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authentication and key establishment protocol, which we want to make more robust 
against DoS attacks. The steps in this scheme can be outlined as follows. 

1 . The server B chooses a random number rg and sends it to the client A. 

2. On receipt of , the client chooses its own random number and encrypts it 
together with using the servers public key ; the resulting ciphertext 

}kb is sent back to the server. 

3. On receiving the encryption message, the server decrypts and retrieves and 

from the received ciphertext. The value of the retrieved and the value of 
which has been sent to the client should match; otherwise the server concludes that 
the received message is simply a garbage value sent by a malicious attacker. 

Without using this kind of countermeasure, there is no way for the server to check 
whether the received ciphertext is really the result of a proper cryptographic 
computation and whether the computation has occurred for the current session. 
Otherwise even for a garbage or old message attack the server will execute a public 
key computation for decryption, send the subsequent message to the attacker, and 
finally will result in a state of the session left open waiting the next message from the 
attacker, which is simply given up by the attacker. 

It can be seen that in a protocol in which the client already sends the challenge 
encrypted using the servers public key /Cg there is only a small change in the 
protocol messages and minimal additional computational effort required. This is in 
contrast to other DoS countermeasures which may require additional messages, extra 
computation, and/or significant alterations to the protocol specification. In practice it 
is often possible to include the challenge from the server in an existing message, as 
we will see below. 

In the next section, we demonstrate that the above technique can be easily applied 
to a typical Internet security protocol SSL/TLS where the ServerHello message and 
the Client Key Exchange message correspond to the first and the second messages, 
respectively. 



3 SSL/TLS Protocol 

The SSL protocol has become a de facto standard for the Internet security, and its 
latest version 3.0 is used as the core protocol TLS by the IETF Transport Layer 
Security working group. The SSL/TLS protocol uses public key cryptography for 
authentication and key-establishment. Some analyses of cryptographic security of the 
protocol have been published, such as PaulsonB formal inductive analysis [Paul99], 
and Wagner and SchneierB informal analysis [WaSc96]. Both analyses concluded 
that the protocol has no weakness with regard to its basic structure. We show below 
its simplified abstract description which is adopted from PaulsonB abstract version of 
the protocol, where optional messages are boxed in dotted line. 
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Protocol 1. A simplified description of the TLS handshake protocol 
A: Client, B: Server 



1 . A — > B: A, , Sid, Pa 

2. A<— B: , Sid, BCert, Pb 



client hello 
server hello, server certificate 



3. A^B: 


ACert, 


Kb’ 


{ hash{ r^,B, r^)} , , 


{finished } a 

^AB 


jclient certificate,! client key exchange. 


certificate verify,! 



4. A B: {finished } „s 



server finished 



A, B: M=hash{ rj>^, ), finished = hash{Sid, M, rjy, , Pa, A, Pb, B ) 



Here we use slightly different notation from PaulsonB deseription of the TLS 
protocol; and replaces the original Na and Nb called client random and server 
random, respectively. Another random nonce denotes the pre-master-secret 
(PMS), which serves as a challenge data to the server B. The public key certificates of 
the client and the server are denoted as ACert and BCert, respectively. Sid means the 
session identifier. The notations and stand for the message encryption 

under 5B public encryption key and the signature with the HB private signature 
key. Using and M, the principals H and compute the session keys and 

to be used for A-io-B and B-io-A encryptions, respectively. Pa and Pb comply 
with the original notation, which mean the sets of A and 5B preferences for 
encryption and compression, respectively. 

We can see that rg in the message 2 of the SSL/TLS protocol, and { }kb can 
serve a good vehicle for the countermeasure described in the previous section. That is, 
{ }kb can be modified to { }kb- The countermeasure is a very reasonable 
mechanism worthy to be considered for the SSL protocol because there is no 
additional public-key encryption/decryption required. Furthermore, it should be noted 
that the concatenation of and is not the only way to implement the idea of the 
countermeasure. For instance, instead of { , we can adopt, for example, the 

following alternative: 

hash(r’j^). 

In this way, we can keep the length of the encrypted message as the original one. The 
server decrypts the received ciphertext and subtracts the value of from the 
decrypted value and takes hash value of it, comparing it with the received value of 
hash. The benefit of this countermeasure can be made clearer by comparing the 
significance of DoS attacks for both cases: the original protocol and the modified one, 
as shown in the table below. 





Original SSL/TLS 


Modified SSL/TLS 


After a DoS attack the server 






has spent 


one decryption and one or two 
signature verifications. 


one decryption, 


and is left in a state of 


one half-open session. 


no half-open session. 
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Here both decryption and verification are public -key based operations, and the 
original protocol requires two signature verifications when the client authentication is 
needed: one for the client certificate verification and another for the client signature 
verification. The countermeasure cannot prevent DoS attacks completely, but 
significantly mitigates the damage of the attacks with no additional public key 
operation or extra message exchange at all. 

It is very important to note that the cryptographic salt explained so far is distinct 
from the idea of cookies. A cookie is a function of session specific information 
whereas a cryptographic salt is simply a nonce chosen arbitrarily by the server. Both 
ideas, however, may be combined as shown in the next section. 



4 Cookies Combined with the New Countermeasure 

The random number in the countermeasure can be generated in a way similar to 
cookies in the Photuris protocol, thus enabling the server to achieve even more 
robustness against DoS attacks. Usually at the point of the delivery of the server is 

expected to assign a unique session to the service requesting client. In this situation, a 
particular value of is also uniquely related to the corresponding session. The value 
of rg is stored in a memory within the server system to be compared with the 
received value of from the client. The problem of this scheme is very similar to 
that of TCP/IP based client-server model which leads to the notorious SYN flooding 
attacks. In other words, the server must wait the second message in the above figure 
after it sends to the client. This problem can be avoided by the server delaying the 
assignment of a particular session resource to the client until the client proves that he 
has correctly carried out the encryption of the two random nonces. In other words, the 
server does not couple a specific value of with a particular client before the client 
computes and sends the required cryptographic message. 

To obviate the need to store the values of , the server prepares a suitable hash 
function H, selects a random master key and selects a sufficiently large value 

as the modulus M of the index for . Here, the index runs from 0 to M □ 1 . When a 
new value of is required, the server runs the hash function with the master key and 
the current index as the inputs, the hash result of which will be used as the value of 
rg (Figure 2). 



Master Key 


► 








Hash Function 






H 


Index of Tg indexjTg 


► 








Fig. 2. Generation of random number rs 





Cryptographic Salt: A Countermeasure against Denial-of-Service Attacks 



341 



The following Figure 3 shows an example using this generation method together 
with the countermeasure described before. The process is outlined in the following 
steps. 




Fig. 3. The cryptographic salt as a cookie 



1 . In response to a service request from the client, the server generates a new value of 

Tg = index _rg) , increments the index parameter index _ , and 

sends the client the values of and index_ . 

2. On receipt of and index_r^ , the client generates his own random nonce , 

encrypts and under the public encryption key Kg , and sends the server the 
plaintext index_r^ and the ciphertext { , rg 

3. When the server receives the response from the client, using the received value of 

the parameter index_ , it retrieves from a look-up table or, alternatively, re- 
computes the corresponding value of . The server also decrypts the received 
ciphertext { , rg }kb , and retrieves the value of rg , which is compared with the 

value of rg which was generated by itself using the given value of index_ rg . 

4. If both values match, the server is assured that the client has formed the ciphertext 
honestly and sent the ciphertext { r^ , rg ■ This leads the server to the next step 
specified in the authentication protocol to which the protection scheme is applied. 

5. On the other hand, if the match fails, the server may conclude that the client is 
trying a DoS attack by sending a bogus message which has nothing to do with the 
correct cryptographic operation to compute the cipher text { r^ , rg }xs ■ 
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The usage scenario of as a cookie is just an example, and there may be as many 
usages as different uses of cookies. It should be noted, however, that the basic idea of 
the new countermeasure presented in this paper is rather independent from cookies. In 
other words, the cryptographic salt rg as described in this paper may or may not be 
cookies. Rather, the new countermeasure can be more effective when combined with 
the cookie scheme. 



5 Conclusion 

We proposed a new concept of protecting a particular form of authentication 
protocols like the SSL/TLS protocol against the connection depletion attack. The 
cookie, an existing countermeasure, is useful against the DoS attack, but useless for a 
determined attacker because the cookie data can be eavesdropped by the attacker. The 
client puzzle approach solves the problem but requires additional computational 
overhead in both the client and the server. Our new concept solves all these problems 
without minimal overhead because it requires no additional public -key operation. In 
some concrete implementations of the concept, it may require one extra hash 
computation, which is practically insignificant. Furthermore, this protection method 
can be combined successfully with the existing cookie mechanism as well, providing 
more robustness against the DoS attack. 
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Abstract. The internet revolution and modern applications require 
more bandwidth capacity as a result of the increasing amount of peo- 
ple using e.g. web-based applications with their enhanced quality and 
performance. Today, modern networks like ATM and SDH/SONET do 
not only have to fnlfill the demand of higher transmission rates but also 
have to provide and to guarantee data security and especially data confi- 
dentiality. Therefore, new or modified cryptographic modes of operation 
are required. These modes provoke an error propagation which has an 
impact on the Quality of Service (QoS) parameters of the network. The 
influences on an ATM network are examined for the CBC, Statistical 
Counter Mode, a new mode of operation and the ATM Counter Mode, 
which needs additional bandwidth for synchronization purposes. 

For SDH/SONET networks we suggest another mode of operation, called 
the Statistical Self-Synchronization, combining the advantages of the 
CEB and OFB mode. In synchronous networks it is the only mode that 
does not require additional bandwidth and is self-synchronizing with 
acceptable augmentation of error rates. The impact on the error perfor- 
mance is discussed and guidelines for adjusting selected cryptographic 
parameters are presented. 



1 Introduction 

The development of efficient, digital transmission systems is a result of the in- 
creased requirement of bandwidth capacity over the last years. The Synchronous 
Digital Hierarchy (SDH), Synchronous Optical Network (SONET) and the Asyn- 
chronous Transfer Mode (ATM) are the technologies that do not only fulfill this 
demand, but also offer the possibility of enhanced network management and 
controllable Quality of Service (QoS) for different services. 

These networks require adequate security features to protect the processed 
information and the network management. The ATM Forum has established 
a framework of specifications that defines objectives for security requirements. 
The security requirements for ATM networks originate from confidentiality, data 
integrity and accountability for all ATM network service invocations and man- 
agement activities. To ensure data confidentiality during the transmission, en- 
cryption technology is highly important. Because of the high transmission rates 
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and the consideration of the negotiated QoS-parameters new or modified modes 
of operation are required. 

The ATM Forum recommends the Cipher Block Chaining (CBC) and ATM 
Counter Mode for the usage in ATM networks. The ATM Counter Mode has the 
disadvantage that additional bandwidth for security purposes is necessary and 
that the occupied bandwidth is no longer available for user data. This results 
in further cell losses, depending on traffic load and buffer capacities of the se- 
curity devices. To overcome this disadvantage and new mode of operation, the 
Statistical Counter Mode is introduced. 

In SDH the standardized and fixed frame structure does not allow addi- 
tional synchronization information of the crypto algorithm. The Statistical Self- 
Synchronization is the suggested technique which ensures the synchronization 
even in case of bit-slipping. This mode of operation guarantees that the cor- 
rect plaintext is computed at the receiver’s side after an error propagation has 
occurred. 

The paper is organized as follows: In Sec. 0the ATM technology is briefly 
introduced. Section 0 gives a short overview of SDH/SONET. Section 0 con- 
centrates on the modes of operation of block ciphers and two new modes of 
operation, the Statistical Self-Synchronization and Statistical Counter Mode are 
presented. Sections 0 and 0 focus on the impact of modes of operation on the 
error performance in SDH networks and Quality of Service parameters in ATM 
networks. Finally, the paper is summarized and suggestions for future work are 
given. 

2 ATM 



Asynchronous Transfer Mode is based on the definition of the B-ISDN Protocol 
Reference Model specified in ITU 1.321 0. It supports integrated voice, data, 
and video communications for available services as well as for future services not 
yet defined. ATM has become one of the leading network protocols, because it is 
highly scalable, fast and efficient, suitable for service integration, and provides 
Quality of Service. 

In ATM the information to be transmitted is divided into short 53 byte fixed- 
length units called cells, which have a 5 byte header and a 48 byte payload. The 
reason for such a short cell length is that ATM must deliver real time service 
at low bit rates and thus it minimizes packetization delay. ATM networks are 
connection oriented with virtual channels and virtual paths. The virtual channel 
carries one connection while a virtual path may carry a group of virtual chan- 
nels. This ensures that cell sequence is maintained throughout the network. The 
virtual channel is identified by the Virtual Channel Identifier (VCI), and the 
virtual path is identified by the Virtual Path Identifier (VPI). Both the VCI 
and VPI are stored in the header of the cell and may change within the net- 
work. These values are assigned during call establishment while using a Switched 
Virtual Connection (SVC) or Permanent Virtual Connection (PVC). 
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The reference-model consists of the ATM Adaption Layer (AAL), the ATM 
Layer and the Physical Layer: 

— ATM Adaption Layer (AAL) 

The ATM Adaption Layer adapts the data structure of higher-layer-services 
to the cell structure of the ATM Layer. 

— ATM Layer 

The ATM Layer is responsible for the transparent transfer across pre-estab- 
lished connections and is independent of the used service and physical in- 
frastructure. 

Physical Layer 

The main task of the Physical Layer is to adapt cells from the ATM Layer 
to the physical infrastructure. 

3 SDH 

SDH and SONET are transmission systems with unlimited increasing transmis- 
sion rates that originally have been developed for the use in Wide Area Networks 
(WANs). Nowadays they are also used for ATM in Local Area Networks (LANs). 
The standards for SDH and SONET contain not only the definitions of interfaces, 
e.g. transmission rates, formats and multiplexing techniques and error perfor- 
mance objectives, but also recommendations for network management. SDH and 
SONET have similar characteristics. SONET is mainly used in North America 
and is based on a standard frame, called Synchronous Transport Signal Level 1 
(STS-1), with a transmission rate of 51.84 Mbit/s. SDH, which is based on a 
standard rate of 155.52 Mbit/s is widely spread in Europe. The standard SDH 
frame is called Synchronous Transport Module 1 (STM-1) jSj. 

SDH has a modular structure, in which the STM-1 builds the basis for all 
higher transmission rates. Higher transmission rates are gained by bytewise mul- 
tiplexing 4-n STM-1 frames (n = 1,2, etc) to one STM-4 -n- frame. In this way the 
next level of the hierarchy is the STM-4, which offers a capacity of 622 Mbit/s. 

In synchronous networks the clocks of the network providers synchronous 
switching equipment are locked to one common clock. The objective of network 
synchronization is to minimize the number of byte slips. In case of clock dif- 
ferences between network nodes, up to three bytes can positively or negatively 
be stuffed into one transmission frame. Therefore, bit- or byte-slipping can only 
occur if these thresholds are exceeded or in case of a frame buffer overflow or 
underflow. This error needs to be taken into consideration even if the probability 
of bit- or byte-slipping is extremely low. 

The overhead on the STM-1 frame contains bytes for frame synchroniza- 
tion, signaling of the frame structure, service quality monitoring, path identi- 
fication, alerts and alert responses. These specific parts of the frame must not 
be encrypted. Some overhead bytes bypass the encryption and enter the next 
overhead respectively to be transmitted in plaintext. Section El summarizes the 
error performance objectives which are described in ITU-T G.826 [B| and ITU-T 
G.829 EDI. 
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4 Encryption 

A block cipher encrypts plaintext blocks of a fixed size of n bits, whereby usual 
values for n are 64 or 128. For messages exceeding n bits, the simplest approach is 
dividing it into n-bit blocks and encrypt each block separately. This native mode 
of a block cipher, the Electronic Codebook Mode (ECB), has disadvantages in 
most applications. Enciphering each block separately results in separate pieces of 
ciphertext which the adversary can analyze and abuse. A method of enciphering 
successive blocks is necessary, making the cipher meaningless except in the given 
sequence. 

Two ways of generating such a sequence are common. The first solution 
is the concatenation of a ciphertext blocks with all preceding blocks due to a 
chaining operation like in Cipher Block Chaining mode or a feedback operation 
as in Cipher Eeedback Mode (CEB) mode. The other one is the generation of 
a pseudo-random binary sequence that is added modulo-2 with the plaintext 
binary sequence like it is done in Output Eeedback Mode (OEB). These ciphers 
are called binary additive stream ciphers. 

The four modes of operation, defined so far in ISO 10116 |5|, are quite dif- 
ferent in their properties regarding security, synchronization, error propagation, 
delay and throughput. (Note: ISO 10116 is currently been revised. It will be ex- 
tended by new modes appropriate for high-speed applications, e.g. the Counter 
Mode and the Statistical Self Synchronization, at the next release). 

4.1 CBC-Mode 

A method of using the algorithm in which the ciphertext blocks are concatenated 
is called the (CBC) mode. Figure G] demonstrates how the CBC mode is used to 
encrypt a message. The content of the Shift Register at the beginning is called 
the Initialization Vector. The CBC mode requires complete blocks of 64 bits 
until the final block is encrypted. The length of the feedback register is extended 
to allow parallel encryption (pipelining) for usage in high-speed networks. 




Fig. 1. CBC-Mode 



The operation of enciphering each plaintext variable employs the following 
steps. First the leftmost n-bit of the feedback register have to be selected. The 
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input to the cipher engine is defined to be the XOR of the data and the content 
of the feedback register. The ciphertext is generated by ciphering the cipher 
engine input. The bits of the feedback register are shifted left by n places and 
the ciphertext is inserted in the rightmost n places, to produce the new value 
of the feedback register. The new n leftmost bits are used as the next input 
of the encipherment process. These steps are repeated until the final block is 
encrypted. The final data block of a message or record may contain less than 
64 bits when processing in the CBC mode. In this case either the plaintext block 
must be padded to 64 bits or the terminal block must be enciphered in a way 
that yields the same number of bits as the input. The steps to encipher the data 
are repeated in reverse order to decipher the data again. 

One or more bit errors within a single cipher block affect the decryption of 
two blocks (the block in which the error occurs and a succeeding block). If the 
errors occur, each bit of the corresponding plaintext block has an average error 
rate of 50%. A succeeding plaintext block has one bit error at the same position. 
Therefore the CBC mode recovers from bit errors, it also recovers from losses 
of whole ciphertext blocks, but it does not recover if the block boundaries are 
lost. The error propagation of the CBC mode in ATM-networks is described in 
Sec. 10. II 

4.2 The CFB Mode 

In CFB mode encryption is achieved by XORing the key stream with the plain- 
text the output of a key stream generator, where the size of a plaintext character 
is n bits. The key stream is generated by the block cipher Ek, whereby K is a 
secret key. The algorithms input data is buffered in an input shift register. The 
ciphertext is fed back into the input shift register, n bits at a time (Fig. 0. 




Fig. 2. CFB-Mode 



The CFB mode is self-synchronizing. If a synchronization error occurs by 
erasing or adding a ciphertext unit of n bits, the decrypting side only gener- 
ates corrupt plaintext as long as defect ciphertext units remain in the input 
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shift register, this requires ^ ciphertext blocks where r is the length of the feed- 
back shift register. The same behavior occurs, if bits have been modified during 
transmission. 

CFB mode is quite inefficient in terms of encryption speed. One block cipher 
operation is required for enciphering n-bit of plaintext. This applies also, if 
n = 1 is selected to gain a self-synchronization even in the case of bit slipping. 
The one-bit CFB is not suitable for the encryption of broadband networks. In 
general, assuming V is the throughput rate of the block cipher implementation, 
the effective encryption rate, can be calculated by: 



4.3 The OFB-Mode 

The Output Feedback Mode ( OFB) differs from CFB mode that the output of the 
encryption block is fed back into the input shift register instead of the ciphertext. 
Hence, a complete output block of the key stream can be XORed with the 
plaintext for encryption even if this is achieved only n-bit by n-bit (Fig. The 
effective encryption rate therefore equals the encryption rate V of the key stream 
generator. Since the key stream does not depend on the plaintext or ciphertext 
it may be generated in advance. This type is also called a synchronous stream 
cipher. 




Fig. 3. OFB-Mode 



The fact that the transmitted ciphertext is not used for the generation of 
the key stream means that the cryptographic synchronization is completely lost 
and cannot be recovered after the occurrence of synchronization errors. The 
advantage of the OFB mode is that no error propagation occurs if bits have 
been modified during transmission. 

4.4 The Statistical Self- Synchronization 

The two stream cipher modes of operation of block ciphers described in sec- 
tion 14.31 and H.'Zl show big differences in their properties. The CFB is self- 
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synchronizing, but only offers a low data throughput and error propagation. 
The OFB in contrast is not self-synchronizing, but has no error propagation and 
offers a higher encryption rate. 

The optimal solution would be the combination of both modes of operation. 
This is achieved by the Statistical Self- Synchronization H2|. 

The Statistical Self-Synchronization switches from one mode of operation to 
the other and back, whereby synchronization is reached between encryption and 
decryption by using the CFB mode. OFB mode is used between the synchro- 
nization phases. Loss of synchronization occurs in case of bit- or byte-slipping. 
In order to re-synchronize both sides need to be switched to CFB mode. The 
encryption and decryption are kept in CFB mode unless the input shift registers 
are filled with a complete block of ciphertext. This has to be identical on both 
sides. The content is used as a new starting value whereby the OFB mode is 
re-used afterwards (Fig. 01). 




Fig. 4. Statistical Self-Synchronization 



The decryption side is not able to recognize a loss of synchronization. Both 
sides search for a fixed statistically distributed bit pattern in the ciphertext 
as there is no additional communication capacity between the encryption and 
decryption entities to signal a switch in modes. Once the pattern is found, both 
sides switch to CFB mode. The length of the bit pattern defines the probability 
of the synchronization and needs to be chosen in relation to the probability 
of bit slipping. The content of the bit pattern can be selected randomly as all 
bit patterns of a fixed length are equally probable in the ciphertext. A bit-slip 
causes a loss of synchronization, because the OFB mode is used between the 
synchronization phases. Encryption and decryption are out of synchronization 
until the bit pattern occurs again in the ciphertext. Switching to CFB mode is 
achieved even in the case that no synchronization loss has occurred. 

It should be emphasized again, that the bit pattern is generated by the en- 
cryption process itself as a result of the encryption of the plaintext. No additional 
bandwidth is necessary to signal the synchronization start or re-synchronization 
start, respectively. 
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A switching to the slower CFB mode implies for the encryption that during 
the operation in OFB mode, as many key stream blocks as necessary need to be 
stored in the output buffer to encrypt the plaintext during the next synchroniza- 
tion phase. Therefore, the encryption rate in OFB mode must be higher than 
the transmission rate. 

The bit pattern recognition is switched off to permit another synchronization 
during the synchronization process. 

Assuming that the same key is used for long messages the statistical self- 
synchronization might be weakend compared to the OFB in case of known- 
plaintext resp. chosen-plaintext attacks. Changing the keys more often and 
choosing a block length of more then 64 bit e.g. 128 bit makes the attacks 
harder to achieve. As encryption works in output feedback mode the generated 
key stream is cyclic like the data of any other pseudo random generator. The 
maximum possible cycle length for a 64 bit OFB mode is 2®"*. Leaving the key 
unchanged means that the stream generator jumps from one point in the cycle 
to another every time re-synchronization is performed. 



4.5 The ATM Counter Mode 

Overview The ATM Counter Mode, specified in the ATM Forum Security 
Specification P is a modified version of the Counter Mode, which will be part of 
the next revision of the ISO 10116 standard MM The difference between the 
ATM Counter Mode and the previously introduced CBC Mode is the absence 
of a feedback function. Instead encryptor and decryptor are synchronously pro- 
ducing identical key streams, based on so-called State Vectors (SV). After the 
determination of the key stream the encryptor XORs the key stream with the 
plaintext and generates the ciphertext. On the decryption side the XOR of the 
key stream and the ciphertext recovers the original plaintext (Fig. EJ. 




Fig. 5. ATM Counter Mode 



Because the Counter Mode allows direct parallelization of the encryption 
algorithm, it is well suited for high-speed implementations, such as required for 
modern ATM networks. The advantage arises from the fact that the 48 byte 
payload can be divided in 6 segments with a length of 64 bit each. 
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Cryptographic Synchronization Dependent on the used ATM Adaption 
Layer type, a cell loss or bit error in the ATM network can cause a loss of cryp- 
tographic synchronization on the decryption side. The result would be that the 
encrypted cell can not be correctly decrypted again. To prevent this the decryp- 
tor has to use the same SV as the encryptor. To accomplish this the encryptor 
sends re-synchronization cells {Session Key Changeover (SKC)) including the 
actual State Vector. The SKC cells are sent on a regular basis, dependent on the 
bandwidth of the used connection and the negotiated Quality of Service param- 
eters. The so-called re-synchronization rate (R) is based on the Cell Loss Ratio 
(CLR) and the Sustainable Cell Rate (SCR): i? = 10 • CLR ■ SCR 

State Vector The synchronously produced key stream is based on identical 
State Vectors (SV). The SV consists of several counters and a Linear Feedback 
Shift Register to ensure that unique key stream values are generated for each 
encrypted block (Figure EJ: 

— Calois Linear Feedback Shift Register (LFSR) 

The LFSR is a 21 bit linear non-repeating sequence that is stepped once per 
cell or per sequence of cells depending on the used AAL type. In case of a 
re-synchronization the LFSR is preset to its initial value. 

— Initiator /Responder bit 

The initiator/responder bit is used to prevent the generation of identical key 
streams for each direction in duplex connections. 

— Sequence number 

The 4 bit sequence number field is filled with the sequence number extracted 
from the encrypted/decrypted ATM cell. The length of the sequence number 
within the ATM cell is dependent on the used AAL type. 

— Segment number 

The 48 byte payload of the ATM cell is seperated into 64 bit segments for 
encryption and decryption. The 3 bit segment number defines which segment 
is being encrypted/decrypted. All other State Vector fields are held constant 
for the entire cell payload. 

— Jump number 

The 35 bit jump number is preset to all zeros at call setup and is incremented 
for each re-synchronization and in case of an AAL-5 connection for each 
received End-of-Message cell. Because of its length the jump number ensures 
an always unique SV. 



64 bits 





Galois LFSR 


l/R 


Sequence # 


Segment# 


Jump # 


21 bits 


1 bit 


4 bits 


3 bits 


35 bits 



Fig. 6. State Vector (SV) 
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4.6 Statistical Counter Mode 

The ATM Counter Mode has the disadvantage that it allocates bandwidth for 
synchronizing en- and decryption. This disadvantage can be overcome by using 
a new mode, the Statistical Counter Mode. 

On the analogy of the ATM Counter Mode, the Statistical Counter Mode 
encrypts the plaintext by XOR-ing the enciphered State Vector with the plain- 
text. Compared to the ATM Counter Mode, a modified SV is used, as the Jump 
Number is not considered. Instead the LFSR is extended to 56 bits for AAL-1 
and AAL-3/4 and to 44 bits for AAL-5. Additionally, for AAL-5 a 16 bit counter 
for the cells between two End of Message (EOM) cells is used (Fig. Q. The pur- 
poses of the other fields remain unchanged. The update of the SV is processed 
in accordance to the update mechanisms of the ATM Counter Mode. 
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Fig. 7. State Vector of the Statistical Counter Mode 



Without allocating bandwidth and without sending re-synchronization cells 
the synchronization process is maintained by scanning the ciphertext for a pre- 
defined Bit Pattern (BP) in the 2nd byte of each user cell payload. The cell 
containing the bit pattern is called Bit Pattern Cell (BPC). Since the first byte 
of the payload is not random, it cannot be used as it may contain the sequence 
number. The re-synchronization rate is determined by the length of the bit pat- 
tern. If the defined bit pattern occurs in the ciphertext, the following 56 bits 
are stored and encrypted. They serve as a new value for the LFSR. The value 
that has been extracted from the ciphertext is random and therefore an already 
used value can recur. To prevent an attacker from getting knowledge about the 
used LFSR, the ciphertext is enciphered again before it is used in the new SV, 
even if the probability of the repeated LFSR content is very low. Furthermore, 
in contrast to the ATM Counter Mode, the value of the LFSR should be kept 
secret. Figure 0 shows the Statistical Counter Mode for ATM. 

The re-synchronization rate is defined by the length of the bit pattern. The 
shorter the bit pattern is chosen, the more often re-synchronization is performed. 
The average re-synchronization rate should be the same as in the ATM Counter 
Mode. It can be calculated by: 



R = 



1 

^BPL 



10 • CLR ■ SCR 



( 1 ) 
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Fig. 8. Statistical Counter Mode 



Respectively, the length of the bit pattern is derived by: 



BPL = 



log(2) 

log(10 • CLR ■ SCR) 



( 2 ) 



Since different bit patterns of the same length have the same probability (P = 
1/2^^^), the distances between the synchronization events are geometrically 
distributed with mean 2^^^. Thus, the probability of the distances d can be 
derived by: 



j(^) ^ [ 2 ^^ ■ (1 “ ^ for d e {1,2, ...} 

1 0 others 

The exact time of re-synchronization cannot be foreseen, as the occurrence 
of the bit pattern is statistically distributed. 

New problems arise due to transmission errors that affect the bit pattern 
cell. Under the assumption that all bits in an errored cell are unusable, in an 
errored BPC, the bit pattern itself as well as the new starting value are errored. 
Therefore, the decryption is not able to detect the bit pattern which finally leads 
to loss of synchronization. The same problem arises if a cell is errored in that 
way, that a new bit pattern is created. The decryption would detect a pattern 
which the encryption did not detect. If the BPC is lost, the decryption produces 
corrupt plaintext until re-synchronization is performed again. 

5 Impact of Security on Error Performance in 
SDH/SONET 

In contrast to ATM, SDH does not offer any possibility to provide additional 
bandwidth for cryptographic synchronization methodologies. Hence, the mode 
of operation for an encryption in SDH networks has to be self-synchronizing and 
to offer an adequate throughput rate. Due to this needs the only appropriate 
mode of operation is the Statistical Self Synchronization. 
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Using the Statistical Self-Synchronization provokes a new source of errors. 
Loosing the cryptographic synchronization means that all bits are errored until 
the synchronization is re-established. There are three possible reasons for the 
loss of synchronization: 

— A bit- or byte-slip (Event Ei) 

— An errored synchronization pattern (Event E 2 ) 

— A new synchronization pattern is generated by an error (Event E^) 

Frame alignment in SDH is found by searching for the framing pattern con- 
tained in the SOH of the STM-N signal as specified in ITU-T G.783 jS|. The 
frame signal is continuously checked with the presumed frame start position for 
alignment. If no framing pattern is found in the presumed bit position Out- 
of-Frame (OOF) is declared. In the OOF condition the SDH payload may be 
corrupt. If in the OOF state the maximum frame alignment time shall be 250 /its 
for an error- free signal with no emulated framing patterns. In case of a bit- or 
byte-slip the frame alignment is lost as well as the cryptographic synchroniza- 
tion. Frame alignment is gained again 250 fjs after the correct framing pattern 
has been found. The encryption algorithm is not synchronized until the synchro- 
nization pattern is found in the ciphertext. For this period of time the decryption 
generates erroneous plaintext. 

An errored synchronization pattern as well as an erroneous generated syn- 
chronization pattern have the effect that cryptographic synchronization is lost. 
In that case only one of the participating parties performs a re-synchronization. 
The encryption is out of synchronization until the next occurrence of the syn- 
chronization pattern. 

The probability for both events, the errored synchronization pattern and the 
erroneous generated synchronization pattern are equal. The length of the syn- 
chronization pattern has to be adapted to the HER and the slip rate. The dom- 
inating events are the events E 2 and E 3 as slipping occurs rarely. The longer 
the synchronization pattern is chosen the smaller is the probability for these 
events and for a disturbed decryption. The occurrence of a longer synchroniza- 
tion pattern has a lower probability which results in a longer period without 
synchronization . 

A demand on the encryption is the transparency regarding the SDH frame 
structure and management data. Erroneous decryption cannot be detected by 
the error detection mechanisms of SDH. If e.g. an ATM signal is mapped into 
the VC-4, errors can only be detected by the ATM network equipment. 

Monitoring the HER in terms of G.826, a loss of cryptographic synchro- 
nization causes a burst error and thus a SES, but it is not detected by the SDH 
equipment. This is troublesome for the signal that is carried by the SDH network 
and recovered from a path terminating node as the data is corrupt. The encryp- 
tion has to be adjusted for an optimized error performance which is reached by 
choosing the appropriate length of the synchronization pattern. 
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6 Impact of Security on QoS in ATM 

Providing security in ATM networks is an important aspect to guarantee the 
confidentiality of the transmitted data. New security devices which offer differ- 
ent encryption algorithms and modes of operation are necessary to fulfill these 
demands. The CBC and ATM Counter Mode are the recommended modes of 
operation by the ATM Forum in their Security Specifications. The ATM Forum 
suggests the DES and FEAL algorithms for the encryption in ATM networks. 

All security devices have in common that the performance parameters (Tab.^ 
defined in ITU-T 1.356 El are influenced. This arises because of the transit de- 
lays, delay variations and obviously the error propagation of the modes. Hence, 
the degradation of the QoS parameters depends on the used mode of operation 
and implementation. 



Table 1. ATM Performance Parameters 



Acronym 


Parameter 


Meaning 


CER 


Cell Error Ratio 


ratio of total errored cells to 
total transferred cells 


CLR 


Cell Loss Ratio 


ratio of total lost cells 
to total transmitted cells 


CMR 


Cell Misinsertion Rate 


the number of misinserted cells 
per connection second 


CTD 


Cell Transfer Delay 


the time between the occurrence 
of two corresponding successful 
cell transfer events 


CDV 


Cell Delay Variation 


variability in the pattern of cell arrival 
events at an measuring point 


SECBR 


Severly Errored 
Cell Block Ratio 


ratio of total severely errored 
cell blocks to total cell blocks 



Especially the time dependent parameters (CTD and CDV) are highly ad- 
dicted to the hardware or software implementation. Features like key agility and 
algorithm agility have a strong impact on the performance because these features 
lead to additional delay and delay variations, but are out of scope. 

If modes of operation that require additional bandwidth (e.g. the ATM 
Counter Mode) for synchronization purposes are used, it is recommended to 
assume that the additional bandwidth is available and reserved during the call- 
establishment. Otherwise it would lead to an increment of the cell loss ratio, 
because a cell loss may be unavoidable each time a SKC cell is inserted. Ev- 
idently, the influence on the QoS parameter not only depend on the mode of 
operation, but strongly on the implementation and traffic characteristics. 

The influence of the used mode of operation on the dependability parameters 
(CER, CLR, CMR) are described in the following sections. The impact of the 
implementation and the specific aspects are out of scope. 
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6.1 Impact of the CBC-Mode 

As described in ITU 1.432.1 (T), the synchronization mechanism verifies the in- 
tegrity of every incoming cell and rejects invalid cells. Consequently only valid 
cells are transmitted to security devices and therefore, the CBC Mode in ATM 
networks self-synchronizes from bit errors and cell losses. 

The CBC Mode does not require any bandwidth for re-synchronization pur- 
poses. Thus, this mode does not have any influence on the CLR. Misinserted 
cells are usually caused by errored routing tables. Naturally, security devices do 
not have any routing purposes and therefore the CMR does not change. 

The modification of the CER depends on the CLR, CMR and CER itself. 
Supposing the parallel encryption of m blocks, the cell loss of an encrypted cell 
leads to A = 1 -I- errored cells. The same number of cells is errored after 

each misiserted cell. An errored block in cell i leads to one additional errored 
cell in cell i + A. 

6.2 Impact of the ATM Counter Mode 

Compared to the CBC-Mode the ATM Counter Mode is a non-self-synchronizing 
stream cipher which results in the necessity for a re-synchronization protocol. 
The re-synchronization with SKC cells fSect. I^3ll implicates a demand for addi- 
tional bandwidth. Assumed that the additional bandwidth is requested during 
call setup the CER, CLR and CMR have several effects depending on the used 
AAL type. 

A cell error does not result in a error propagation as long as the cell error does 
not occur in a SKC cell. In this case all cells up to the next re-synchronization cell 
cannot be decrypted correctly. In an AAL- 1 or AAL-3/4 connection, a corrupted 
sequence number in the ATM payload would lead to the same result. 

In case of an used AAL-1 or AAL-3/4 ATM connection a cell loss has an 
error propagation if the SKC cell is lost. Again all cells up to the next re- 
synchronization cell cannot be decrypted correctly. For an AAL-5 connection a 
cell loss means that all cells up to the next End-of-Message cell (EOM) or SKC 
cell are errored. In case of a lost SKC or EOM the synchronization is lost up to 
the next SKC cell. 

For all AAL types a misinserted ATM cell results in an errored cell stream 
up to the next SKC cell. The ATM Counter Mode does only have an impact on 
the Cell Error Ratio and not on the CLR and CMR. Tabled shows all error and 
re-synchronization events. 

6.3 Impact of the Statistical Counter Mode 

As the Statistical Counter Mode for ATM is based on the ATM Counter Mode, 
the error expansion is similar. This concerns the impact of cell losses and cell 
errors of user cells not containing the re-synchronization pattern as well as misin- 
serted cells. Differences only occur if the cell containing the re-synchronization 
pattern is affected. This may happen if this cell has an errored re-synchronization 
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Table 2. Re-Synchronization in ATM Counter Mode 





AAL-1 & 3/4 


AAL-5 


Cell Error (SKC) 


SKC cell 


SKC cell 


Errored sequence number 


SKC cell 


— 


Cell Loss 


— 


SKC or EOM cell 


Cell Loss (SKC) 


SKC cell 


SKC cell 


Cell Loss (EOM) 


— 


SKC cell 


Misinsertion 


SKC cell 


SKC or EOM cell 



pattern, errored starting value or if this cell is lost. The same problem arises if a 
cell is errored in that way that a valid re-synchronization pattern is created. In 
all cases synchronization is lost until the next BPC is detected and processed. 
Tab. 0 shows all errors and the events that reestablish synchronization. 



Table 3. Re-Synchronization in Statistical Counter Mode for ATM 





AAL-1 & 3/4 


AAL-5 


Cell Error (BPC) 


BPC cell 


BPC cell 


Cell Error (generated bit-pattern) 


BPC cell 


BPC cell 


Errored sequence number 


BPC cell 


— 


Cell Loss 


— 


BPC or EOM cell 


Cell Loss (BPC) 


BPC cell 


BPC cell 


Cell Loss (EOM) 


— 


BPC cell 


Misinsertion 


BPC cell 


BPC or EOM cell 



7 Conclusions and Outlook 

In this contribution the mostly used and specified modes of operation for high- 
speed networks are described and new modes, the Statistical Counter Mode for 
ATM and the Statistical Self-Synchronization for SDH/SONET networks are 
presented. 

The Statistical Self-Synchronization is the only mode that provides self- 
synchronization, efficient encryption speed and allows parallelization of multiple 
encryption modules. However, the Statistical Self-Synchronization shows secu- 
rity weaknesses compared to the OFB mode, because of the re-synchronization 
process. This problem can be prevented by changing the keys more frequently. 

For ATM networks, various modes of operations are applicable. The CBC 
mode is self-synchronizing but has an error propagation. The ATM Counter 
Mode has less error propagation but requires bandwidth for synchronization 
purposes. The new Statistical Counter Mode overcomes this disadvantage using a 
statistical method. Therefore, for ATM the mode has to be chosen in accordance 
to the desired application and quality parameters. 



Enhanced Modes of Operation for the Encryption in High-Speed Networks 359 



An overview of the error propagation and the QoS parameters in ATM and 
SDH/SONET networks has been given. The impairment of quality parameters 
are tolerated to gain the benefit of data confidentiality. Further research has to 
be done in the area of the simulation models and the analysis of the simulation 
results in comparison to the existing ATM security device SEDAN 155 developed 
at the Institute for Data Communications Systems m- 
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Abstract. We discuss the availability questions that arise when digital 
time stamps are used for preserving the evidentiary value of electronic 
documents. We analyze the time-stamping protocols known to date and 
point out some weaknesses that have not been addressed so far in scien- 
tific literature. Without addressing and solving them, any advantage of 
the linkage-based protocols over the hash-and-sign time-stamping would 
be questionable. We present several new techniques and protocols for im- 
proving the availability of both the hash-and-sign and the linkage-based 
time-stamping services. We introduce fault-tolerant linking as a new con- 
cept to neutralize fault-sensitivity as the main weakness of linkage-based 
time-stamping. 



1 Introduction 

Time stamp is an attestation that a digital document was created at a certain 
time. Time stamps are essential tools for relying parties to preserve the evi- 
dentiary value of electronic data (particularly, digital signatures). Due to their 
responsible mission, Time-Stamping Authorities (TSAs) must be reliable - trust- 
worthy, and available when needed. Availability threats may be as harmful as 
potential attacks by network hackers or dishonest behavior of other parties (re- 
pudiation etc.). For example, if TSA’s server is destroyed, a large number of time 
stamps may get unverifiable, and therefore, relying parties may suffer from con- 
siderable monetary losses because some important documents (agreements, bills 
etc.) lost their evidentiary value. This seems unfair from the view-point of an in- 
terested party who has no control of the procedures running in a time-stamping 
server. It would thereby be reasonable if no party could affect the validity of 
time stamps except the relying party itself. 

Regardless of their importance, availability questions have almost never been 
discussed in scientific literature. This paper is intended to be a contribution to 
filling this gap. We discuss several techniques for improving the availability of 
time-stamping services. Particularly, we propose protocols for using multiple 
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time-stamping servers and argue what kind of benefits such approach may of- 
fer for both the hash-and-sign and the linkage-based systems. We also discuss 
methods for fighting against occasional errors in TSA’s database which turn out 
to be the most serious threats in linkage-based time stamping systems. 

In Section 2, we outline the objectives of time-stamping, the general model 
of time-stamping, and point out the main threats to availability. In Section 3, we 
analyze the time-stamping systems known to date and point out their advantages 
and weaknesses. In Section 4, we discuss how multiple servers can be used to 
improve the availability of service. In Section 5, we introduce a new concept of 
fault-tolerant linking - a technique against fault-sensitivity of the one-way hash 
computations used in linking schemes. 

2 Time-Stamping: Objectives, Model, and Threats 

Let be a time-interval and x,y be bit-strings. There are three basic state- 
ments that time stamps should prove: 

— Freshness (of x &t t) - x was created after t. 

— Existence (of y at t') - y was created before t' . 

— Order (of y and x) - y was created before x. 

We call the time stamps intended to prove these statements as: (1) freshness 
token, (2) existence token (or stamp), and (3) order token, respectively. Freshness 
tokens are needed to avoid replay attacks in authentication protocols. Possibly, 
there exist no reliable ways of proving that x was created precisely at t. Existence 
tokens (or stamps) are necessary for proving that a digital signature was created 
before the corresponding key-identity relation was revoked. In some cases we 
may need to prove more than one of these statements. 




Fig. 1. General model of time-stamping. 



Time-stamping is a service used by the Relying party to prove temporal 
relations to the Verifier (such as judge and alike). The relying party obtains 
time stamps from the TSA (and also takes care of them later) by using the 








362 Arne Ansper et al. 



Stamping protocol. The Verifier uses the Verification protocol (which may require 
communication with the TSA) to check the correctness of time stamps presented 
by the relying party (Fig. Pi. The TSA may also use secure logs and a public 
directory to enable the Auditor to audit the TSA’s work. Audit reports are made 
available to the verifier and to the relying party. The presence of regular audit 
gives some additional assurance to time-stamping services. 

As referred to in the Introduction, it will be fair if the evidentiary value of 
time stamps does not depend on third parties (other than the relying party). 
This is the motivation for the compactness of evidence principle: Relying parties 
possess a compact and time-proof evidence the value of which depends neither on 
other parties’ actions nor on the events which the relying party has no sufficient 
control of. We discuss three such events: 

[A] Broken cryptography and compromised keys. If the cryptographic mecha- 
nisms for protecting the authenticity of time stamps are compromised, there 
should still be a mechanism to distinguish between time stamps (1) issued by 
the TSA before the compromise, and those (2) created by an attacker, using com- 
promised cryptography. Hence, all the time stamps issued so far can be called 
into question and cannot further be used as evidence. 

[B] Service unavailability. Time-stamping service itself gets unavailable for a 
while. Relying parties are not able to obtain time stamps for documents they 
want to preserve as evidence. Such an accident may be causal, for example, 
in a stock market computer system where time stamps are used to arrange 
stockbrokers’ requests. Unavailability is often caused by the denial of service 
attacks which are possible if the communication (or security) protocols are poorly 
designed. 

[C] Loss of server’s data. A portion of data in a time-stamping server is destroyed 
and a fraction of time stamps becomes unverifiable. This means that a large 
number of documents may lose their evidentiary value, and therefore, relying 
parties may suffer from considerable monetary losses. This type of unavailability 
may be caused by occasional errors in TSA’s server. The most important reason 
that makes this threat more serious than the previous one is that neither the 
server nor the relying parties may notice that errors have occurred and the server 
uselessly continues its work. 

In this paper, we analyze which of those threats are encountered in each 
time-stamping system. We also propose new techniques for overcoming these 
threats. 

3 Time-Stamping Systems: Overview 

Preliminaries and notation. By Sig^lXi, . . . ,Xm} we mean a digital signature 
created by A on the ordered list of messages Xi, . . . ,Xm. Sometimes, we in- 
herently assume that A uses a signature scheme with message recovery. By a 
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collision-free hash function h, we mean a polynomial-time function family such 
that it is computationally infeasible to find two arguments x\ yf X2 such that 
h{x\) = h{x2)- Exact mathematical definition of a hash function is unnecessary 
for understanding the subject of this paper and is omitted. 

Technical assumptions. We only deal with time-stamping systems with one or 
more central authorities, though there exist protocols without central authori- 
ties m We also assume that, in order to prevent unreasonable communication, 
documents are always hashed before they are included into time-stamping re- 
quests. 

3.1 Absolute (Hash-and-Sign) Time Stamps 

Absolute (hash-and sign) time stamps are tokens (signed by the TSA) which 
comprise a document (or a hash of the document) and a date/time represented 
as a number. Security of this scheme is based on the assumption that the TSA 
has a precise enough clock device and is completely trustworthy. 

To obtain a freshness token Ti., a client A (Alice) sends a request to the TSA. 
The TSA signs the current time t and sends H = Sig-j-sAlO back to A. For 
example, given a message cr = Sig^{A, 7f}, Bob is able to verify that X was 
signed by Alice after t. Note that even if the TSA is trusted and trustworthy, 
the freshness token does not prove that a was created precisely at t. 

To obtain a stamp for a bit-string x (for example, x = a), a client S (Bob) 
sends x to the TSA. The TSA adds the current time and date t' to x and sends 
T = Sig-psA{^) i} back to B. The triple {H, a, T) proves that A signed X during 
the interval 

Main concern: key compromise. In systems with a single TSA there seems to be 
no efficient solution to this problem. The best solution seems to be that the TSA 
stores all time stamps it ever issues. If then the key is compromised, the TSA 
signs all time stamps with a new key. This is impractical because of high storage 
and computational complexity. Tamper-proof hardware may be used to prevent 
the key compromise. The hardware module may even generate a key-pair for 
the TSA and never let the private component outside the module. However, this 
is neither a completely usable solution because the signature scheme itself may 
be broken and the key length insufficient. In Surety’s white paper jSj they even 
conclude that using keyed cryptography for time-stamping is extremely flawed 
and only the keyless cryptography can do the job. However, we do not completely 
agree with this categorical statement. We will show in this paper that the key 
change is practical in a multi-server case. 

3.2 Auditable Relative Time-Stamping 

There is a substantive relationship between absolute time stamps and trust. Peo- 
ple have unconsciously accepted the concept of time as a number and they hardly 
realize that actually the relation between physical time and numbers is almost as 
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artificial as the relation between people and their public keys (which are numbers 
as well!). Thereby, the relationship between time and numbers cannot be fixed 
reliably without using trusted third parties. However, this does not mean there is 
no temporal measure which is independent of trusted third parties! Indeed, un- 
der some assumptions about computational intractability (one-wayness of hash 
functions), we have relative temporal measure that uses no trust assumptions. 

Let h be a collision resistant one-way hash function and y be a bit-string 
which was published in a newspaper on February 20, 2001. If we are sent a 
bit-string x satisfying the relation y = h{x) then we are convinced (because 
of one-wayness) that x was known to somebody (or stored into a computer) 
before y was created. Therefore, we also know for sure that x was created before 
February 20, 2001. More generally, if 

y = £{x,xi,...,x„), (1) 

where £ is an arbitrary hash formula (e.g., h{h{x, Xi) , h{x 2 , x^))) , then (a:i, . . . , 
Xn) is a proof that x was created before y. Let x = Sig^{A"} be Alice’s signature 
on X and a = Sig^{F, j/} be Bob’s signature on Y which also comprises a 
bit-string y, such that equation O holds. Then (xi, . . . ,x„) is an undeniable 
proof that Alice signed X before Bob signed Y. Note that the proof itself uses 
only keyless cryptography and its validity is thereby not affected by the key 
compromise. This is the main idea of linking first proposed by Haber et al jZj. 

The TSA maintains a secure log file (^o,^!) ■ ■ ■ ,£n,- ■ ■) created by using a 
collision- free hash function h with fc-bit output. After each request the TSA 
computes a new value of using the following recursive formula: 

£n = h(Xn,£n-l) (2) 



The most important property of the linking scheme is that the value of each log 
item £n depends in one-way manner on all the previous items £q, . . . ,£n-i- If 
£n was published in a newspaper on February 20, 2001, then: (1) the previous 
values cannot be modified without the possibility of detection by an Auditor; 
and (2) £q, ..., £n may be used as existence tokens for xq, . . . , Xn, respectively. 

To obtain a freshness token, Alice sends a request to the TSA. The TSA 
sends back the most recent £m- To obtain a stamp for a bit-string an in- 
terested party B (Bob) sends x„ to the TSA. The TSA computes a new value 
for £n using Q. Finally, the TSA sends £n-i back to Bob in order to make 
him able to compute £„ from Xn, and optionally, uses a short-term signature 
key to authenticate £„■ So, an existence token is obtained through the following 
protocol: 



l.B^ TSA: Xn 

2 TSA computes: £n = h(xn, £n-i) 
3.TSA^H: C_i, [SigTSAl^n}]- 



( 3 ) 



Here and further, the square brackets mean that the signature is optional in this 
protocol. From time to time (say, weekly) , the TSA publishes the most recent 
in the Directory (Fig. Q). After that, the TSA and no-one else is able to modify 
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the chain £q, . . . ,£jv_i of previous log items. The secure log may also be made 
widely public. For verifying the order of I'm and £„ (jn < n), the Verifier obtains 
a list %n,n = {xm+i,Xm+ 2 , ■ • ■ j Xn) and performs n — m hash-steps (Fig. 0. The 
list %n,n is an undeniable proof that £rn was issued before 

£m — \ £m £m-\-l £n—l £n 



Xm Xrn-\-l 



Xn-1 



Xn 



T 

m 



Fig. 2. Linear linking scheme. 



Remark: What do signatures add to the linked service'? At first sight, the TSA’s 
signature on in Protocol seems redundant since the signature is unnec- 
essary for the comparison of time stamps. However, the TSA’s signature is still 
valuable from the view-point of availability as a method of authenticating the 
TSA by clients. A malicious party may act as the TSA and thereby, the inter- 
ested party (Bob) cannot be sure about the validity of the time stamp. Another 
reason to use signatures is that a malicious TSA may manipulate with the tem- 
poral order before it publishes a log item in the Directory. As the value of £n 
comprises the whole previous history, the signature of the TSA on can be 
taken as a temporary commitment. Any modifications in the list (£o, • ■ ■ ,£n-i) 
can be detected and proved by Bob, even if no £n {N > n) has been published 
yet. 

Main drawback: verification cost. Reliable (trust-free) verification of temporal 
relations may require a large amount of computation and storage, because both 
are linear functions in | n — m | . The Verifier should download a large amount 
of data for each verification which may cause huge traffic on the Internet. If a 
trusted server is used to perform the computation, we have almost the same trust 
problems as in the absolute time-stamping case. We have very much the same 
“trust versus communication” problem here as in the public key infrastructure - 
revocation lists (CRL) require communication, whereas on-line status protocol 
(OCSP) requires trust. Regular audit may, to some extent, increase reliability of 
the service. However, an assumption about a trusted Auditor is very much the 
same as an assumption about a trusted TSA. 

The compactness of evidence principle is, thereby, almost unachievable, be- 
cause it would require a huge amount of storage in the relying party’s side. For 
the service being practical, the Verifier needs communication with the TSA and 
hence the evidentiary value of time stamps depends on the availability of TSA’s 



service. 
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3.3 Time Certificates 

Time certificates approach, which was first proposed by Pinto and Freitas nm 
and independently by Buldas, Laud, Lipmaa and Villemson ^ tries to reduce 
the communication by saving a part of the linkage data as a meta-part t{X) 
(called time certificate) of the time-stamped document X. The purpose of a 
time certificate t{X) is to fix the temporal position of X in a reliable way, so 
that (r(X), t(Y)) is always a compact piece of evidence for temporal comparison 
of X and Y (Fig.E|). 

We now briefly describe how to use linear linking scheme to create time certifi- 
cates. Let be the most recent log item which is published, and xq,Xi, , Xn 
be the bit-strings time-stamped so far. It is easy to see that we may use a 
pair T{xn) = as a time certificate for x„. Indeed, let m < n and 

T{xm) = {^m,-i,%n,N) be another certificate. Then, by the definition, 

Ym,n — (^m-t-1; • ■ • ; ^n) ^ (^m+1; ■ • ■ ; ^n) — ^m.N 

which means that the pair (T(xm),T(Xn)) indeed comprises a proof that Xm was 
time-stamped before x„. 




t(X) < t(Y), or 
t(Y) < t(X). 



Fig. 3. Off-line comparison of time certificates. 



As we mentioned, the linear linking scheme Q is not practical for using 
time certificates because of certificates’ size (linear in the total number of time 
stamps) . More complex linking schemes presented by Buldas et al j4l3l6l6j make 
certificates practical because their size in those schemes is logarithmic in the 
total number of time stamps. 

In general, the protocols are almost the same as in the linear scheme, except 
that after each request x„ the TSA computes two new values: (1) is a bit-string 
the length of which is equal to the output length k of h; (2) is a sequence of 
bit-strings of length k. Computations use the following recursive formulae: 



£n = C{Xn,'Hn-l), = 7Y(f „ , TYn- 1 ) , 



(4) 



where Ti. and C are polynomial-time algorithms consisting of one-way hash com- 
putations. Note that by taking Hn — {in} and = h{xn,£n-i) we get the 
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linear scheme. The freshness token in the general scheme is Tin - Existence token 
can be obtained through the following protocol: 



l.B^TSA: Xn 

2 TS A computes: £„= Hn = 'H{£n,'Hn-i) 

3.TSA^g: Hn-i, [SigTSAl^n}]. 



( 5 ) 



Time certificate for is a pair T{xn) = where %i^n is a set 

of hash values, comprising a proof that the value of depends on Linking 
algorithms £ and Ti. can be chosen so that for any m < n the certificates T{xm) = 
and T{xn) = together are enough to construct a 

verifiable hash-chain from £m to At the same time, the size of a certificate is 
logarithmic in N. One such linking scheme - threaded tree - is described in 
Appendix A. 

One important property of time certificates is that they can be extended, 
i.e. for any Ni > N the Relying party (say Bob) may request the TSA for a 
proof Tjv.ati and then extend the certificate r(a;„) from T{xn) = 
to For extension. Bob sends TSA a request which contains two 

numbers (N,Ni). The TSA answers with which comprises a one-way link 

from £i\j to £ni ■ The answer may also be completed with the TSA’s signature 
SigTSA{-^Afi}- Therefore, the extension goes as follows: 



l.i?^TSA:(iV,iVi) 

2. TSA ^ B: Tn,n, , [ SigTSAl^WiI 1 ^ ^ 

We mention without giving a proof that in the threaded tree linking scheme 
0 described in Appendix A, we can define an easily-computable composition 
operation o, so that 

%i,Ni = %1,N O T/V,Afi • 

The most important thing here is that Bob can extend a time stamp several 
times, whereas its size will stay logarithmic. This is not the case if we just 
concatenate Tn^N and because doing so for numerous times, we end up in 

the linear certificate size. 

Therefore, if a set of time stamps are extended to the same published time 
stamp their temporal order can be determined without the TSA. This is an 
important property from the view-point of availability. For example, the TSA 
may require that all the time stamps older than January 1, 2000 were extended 
to N which was the first time stamp issued on that date. If the relying parties 
indeed do so, the values £q, - ■ ■ ,£n-i may be deleted from the TSA’s server to 
save storage space. 

Main advantages of the time certificates approach over the previous ones are 
that (1) Time certificates may always be extended to the most recently published 
log values. Thereby, users are able to audit the TSA by themselves. (2) Time 
certificates can be used to verify temporal order of documents off-line, without 
communicating with the TSA. 
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Main drawback: increased fault- sensitivity. Computation of log items in is (and 
should be!) extremely fault sensitive. Hence, there is always a concern that errors 
in the log file will propagate to the future. As a result, the hash-chain splits into 
two parts, whereas time stamps in different parts would be incomparable. If we 
compare the formulas of linear linking (Pj) and general linking (0, we notice 
that linear linking is less susceptible to error propagation because the value of 
in depends only on in-i, whereas in the general linking scheme, TLn-i may 
comprise relatively old im, with m n. Therefore, if something happens to 
im in the interval between creation of im and in-i, computing in in the next 
step leads us to erroneous log file. So far, almost no attention has been paid 
in scientific literature to this concern. In Section 5 of this paper we propose a 
method of fault-tolerant linkage which significantly reduces the danger of fault 
propagation. 



3.4 Usage Example: Time Stamps for Digital Signatures 

Time-stamping of digital signature begins with obtaining a freshness token from 
the TSA. The signer A (Alice) sends a request to the TSA and receives the 
most recent freshness token Tim- In the hash-and-sign scheme, Tim = SigxsAlt}? 
where t is the current time. Alice first concatenates Hm with the message she 
wants to sign and then applies the signature algorithm to the concatenation. As 
a result, she has a signature a = Suppose B (Bob) is a relying 

party who received a and wants that a would retain its provable authenticity. 
Usually, this means that B should be able to prove that a was created before the 
Alice’s public key was revoked. To obtain a time stamp, Bob computes a hash 
X = h{u) and sends x to the TSA as a time stamp request. 

A time-stamped signature consumes both the freshness token Ti and the 
stamp T issued by the TSA. In naive time-stamping systems, the stamp T is 
computed as follows: 



T — Sigrpg^{Sig^{X, 7ft}, t'}. 



where Tit is either Sig^sAlOi if Alice obtained a freshness token, or t, if Alice 
did not use the freshness token and added time/date to the message herself. 
In certain applications this would be sufficient. Naturally, in this case t should 
be interpreted as the time/date Alice declares she signed X at. Note that t (as 
opposed to SigxsAlO) under Alice’s signature does not prove that the signature 
was actually created at t (or after). 

In a linkage-based time-stamping system, the TSA sends back the most recent 
linking item in- The pair {Tim, Ln) is called a preliminary time stamp for a. For 
extension of this time stamp. Bob sends TSA the request which contains two 
numbers {n,N), where N > n. The TSA answers with Tn^N (and optionally, 
with the signature SigxsA{AAr})- The triple (Tfm, Sig^gA{Ljv}) is called a 
time certificate for a. 

One must be careful in time-stamping digital signatures. Signature algo- 
rithms behave almost like one-way functions. However, if the key-space is also 
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considered as part of the input space, the signature scheme as a function is not 
collision- free. Massias et al showed P| that an attacker may generate a weak RSA 
key and back-date signatures created with that key. Note that this attack would 
work in both the hash-and-sign and in the linkage-based time-stamping. To pre- 
vent this attack, it is sufficient to time stamp a hash Sig^jJf}) instead of 
time-stamping a pure signature a = Sig^jAT},. 

4 Time-Stamping with Multiple Servers 

Using multiple servers is an obvious approach when fighting against service un- 
availability and loss of data. In this section, we discuss what kind of benefits this 
approach would give in the case of absolute time-stamping and in linkage-based 
time-stamping. It turns out that the motivations of using multiple servers are 
somewhat different in those cases. 

As we show in this section, using multiple servers is both (1) a prevention 
measure and a (2) recovery measure. It helps to keep time stamping services 
available to clients, and in some cases, to restore the evidentiary value of time 
stamps if the keys are compromised (in absolute time-stamping) or if TSA’s 
database is lost (in linkage-based time-stamping). 

Assumptions. Suppose we have s mutually trusting time-stamping servers TSAi, 
..., TSAs. We emphasize that it is not assumed that the servers are completely 
trusted by all clients. To obtain a time stamp, the relying party may interact 
with all of these servers. Servers’ interaction is assumed to be invisible to clients 
and be protected using a standard authentication protocol (such as SSL). We 
assume that at every moment, there is at least one server available to clients. 

4.1 Absolute Time-Stamping with Multiple Servers 

It turns out to be relatively easy to improve the availability of absolute time- 
stamping just by putting two or three servers together. We need servers’ interac- 
tion only to synchronize their clocks and in key change scenarios. Using multiple 
TSAs would enable us to solve the key change problem without storing all the 
time stamps in servers. 

To obtain a freshness token, Alice (A) sends a request to all three servers. 
The TSAi signs the current time U and sends = Sig-psAii^*} back to A: 



1. VI: 




TSA^: request^ 


2. VI: 


TSA, 


^ A'.W = SigpgA,{U} 



A s-tuple 7i = {H ^, . . . ,7f®) is a freshness token. If Alice signs a message X 
together with freshness token H then Bob can verify that the signature a = 
Sig^{A, Ti.} was created after t = max{ti, . . . , tg}. 

To obtain a stamp for a bit-string x (for example, x = a), Bob (B) sends 
X to all s servers. The TSA^ adds the current time to x, signs the result and 
sends it back to B: 



370 Arne Ansper et al. 



I. Vi: 


B ^ 


TSAj: X 


2. Vi: 


TSA, 


^ B-.r = SigTSA,{a;,i*} 



A s-tuple T = (T^, . . . , T®) is the stamp of x. T proves that a was created before 
t' = . . . , Accordingly, the triple proves that A signed X 

during assuming that the signature key of TSA^ was valid and the TSA^ 

itself is trustworthy. 

Key change. If the signature key of TSAi is compromised, the components Tii 
and Ti signed with this key are no more reliable. The TSAi generates a new 
key and publishes it in a reliable and widely witnessed way. After that, clients 
may use a renewal protocol for replacing the components of T signed with the 
old key with components signed with the new key. The renewal protocol runs as 
follows: 



1. B-^ TSAi: SigTSAi.oidla;, ^i}, SigTSA2{2;, h}, ■ ■ ■ SigTSA,{a;, ts} 

2. TSAi: verifies signatures Sig-psA 2 {^> ^ 2 }, • ■ • , Sig-psA„{2^) ^s} 

if the signatures are valid and given on the same x: 

3. TSAi ^ B\ SigTSAi ,newl^: min{t2, ■ ■ ■ , t,}}. 



(9) 



Therefore, TSAi is able to renew time stamps without storing all the previously 
issued time stamps. 

Note also that signing old time stamps with a new key is not usable for 
freshness tokens added to digitally signed documents as signed attributes. To 
explain this, suppose that we have a signature a = Sig^jX, with a freshness 
token H and the signature key of the TSA is compromised. We cannot just 
replace the key and sign Ti. again with a new key because then a would not be 
verifiable any more. Signatures are one-way operations and we cannot modify the 
content of a signed document without violating the signature. Freshness tokens 
signed with a compromised key are equivalent with plain time stamps created by 
the signer herself. As we will see later, relative time stamps do not suffer from 
this concern. 



4.2 Linking with Multiple Servers 

As linking-based time stamps are keyless, the key compromise is not a motivation 
of using multiple servers. Moreover, there are many wide-spread techniques for 
increasing the reliability of storage on the hardware level (e.g. RAID). Thereby, 
designing special protocols for time-stamping with multiple servers may seem un- 
necessary. Indeed, we may just use s identical copies of a time-stamping server 
that uses a linking scheme, such that the clients would even not know that actu- 
ally there are s servers. However, if the motivation of using multiple servers is to 
increase the availability of service, there should be multiple processes (running in 
separate machines) for creating new linking items when the request from a client 
is received. Just holding several copies is insufficient. One should also guarantee 
that each request from a client is transmitted to all servers identically. If 
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anything here goes wrong, the servers end up with different linking chains. Con- 
sidering the nature and purpose of time-stamping services, we cannot completely 
exclude the possibility of incoherence between the servers because its probability 
increases as we consider large time-frames. In this paper, we do not assume that 
each request is certainly received by all servers identically. Therefore, the 
linking chains (log files) maintained by the servers may be different. The proto- 
col we describe is simple and does not require any additional means of reliable 
storage. Therefore, we increase the reliability. However, we pay the price in the 
time certificate size which increases approximately s times. The protocol may 
be of interest, if the documents time-stamped have a relatively high monetary 
value. Otherwise, standard tools (RAID etc.) would do their job well. 

Assumptions and notation. Each server uses a linking scheme described by gen- 
eral formulae ®. The n-th log item created by the Tth server TSA^ will be 
denoted as Similarly, we use and ^ to denote, respectively, the fresh- 
ness tokens and the relative proofs generated by TSA^. 

Freshness tokens and stamps. To obtain a freshness token, Alice sends each of 
the servers a request and obtains answers from each of them independently. Each 
answer consists of s hash formulae. For example, an answer from TSAi is 

/'T -/1 ' 7 -/^ ' 7 -/'® ^ 

v^mii ’ ^mi2’ ■ ’ ■ ’ ^mis/5 

where freshness token issued by TSA_,- which TSAi knows are the 

most recent ones. These values are distributed between the servers using proto- 
cols which we describe later. If a server TSA* is down and does not answer, we 
set mu = TOi 2 = . . . = mis = 0. The freshness token protocol runs as follows: 



1. Vi: A ^ TSA^: request^ 

2. V*: TSA.^A: ■ • ■ , J 

3. Vj: A computes: mj = max{mij, m 2 j, . . . , mgj} 

4. A computes: Ft = , . . . , ) 



Existence tokens are obtained almost in the same way as in the one-server case. 
The Relying party sends time stamp requests to all servers and obtains time 
stamps from all of them except those being inaccessible at the moment. 



1. Vi: 


B 


TSA^: X 


2. Vi: 


TSA, 


B: 4,_i, [cTi = SigTSA. {C.}] 



( 11 ) 



Time-certificate t(x) for a: is a s-tuple ((H),^, [ci]), (H^^, [(^ 2 ]), ■ • ■ , [^s])) 

the components of which are ordinary time stamps (already familiar to us from 
the one-server case). 



Extension of a time-certificate is performed on a component-wise basis. Each 
component is extended using the same protocol as introduced in the one-server 
case. For extension of the i-th. component of a time-certificate, the relying party 
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(Bob) sends TSA^ the request which contains two numbers {rii,Ni) with Ni > rii. 
The TSAi answers with 7^^ and, optionally, with the signature Sig^sAil^Vi}- 



1. B^TSA,: (n„Af,) 

2. TSA, ^ B: [SigTSA. {4, |] 



Boot. If TSAi wakes up, it checks whether it has stored values of 
... , These values may be missing either because the server has never been 

up before or because the linkage data has been destroyed in the last crash. In 
that case, TSAi sets nn = m 2 = ... = nis = 0. After that, the TSAi obtains 
(using protocol (II OH freshness tokens form other servers and starts linking from 
the latest value of the other servers know. 



1. Vj > 1: 

2. Vj > 1: 

3. Vj: 



TSAi 

TSA 



TSA,: 



request 

TSAi computes: nij := max{nij,n 2 j, ■ . ■ ,Us 



TSAi: 






(13) 



Let n = mi. If the database was indeed destroyed during the last crash, TSAi 
sets Xn+i = ^(^ 12 ) ■ • ■ j’^is) and creates ih^i and H^j^i using formulae (gj. If 
time-certificates older than are then completed with the list (7fi2, . ■ . ,'^is)> 
then we are again able to compare (off-line) time stamps issued by TSAi with 
older time stamps issued by other servers before the crash. 



New linking item. If the server TSA^ creates a new linking item L„.^+i, it com- 
putes 77)i.._|_i and sends it immediately to other servers. For example, if z = 1 
the following protocol is completed: 



1. TSAi computes 


nil := nil + 1 


2. Vj > 1: 


TSAi 


^TSA,: 


3. Vj > 1: 


TSA, 


computes: := 



(14) 



5 Fault Tolerant Linking 

As mentioned above, the linking items in may get corrupted, either because of 
occasional errors in hardware or bugs in programs running in the same computer 
with the TSA software. In linking schemes such errors would propagate to the 
future and affect the correctness of a large number of time stamps. This threat is 
even more dangerous than a complete destruction of the TSA’s database because 
the TSA is unaware of the disaster and the service may stay unavailable for a 
long time. Therefore, some detection measures would be desirable. Error detec- 
tion codes are the most widespread means against the loss/corruption of data. 
However, instead of including additional data fields into the linking scheme, we 
may use the linking scheme itself to detect and correct occasional losses of data. 
The crucial idea is that a collision-resistant hash function itself is a very efficient 
error detection code. According to equations (^, we define error detection codes 
for in and for Hn as follows: 

Code(£„) = (xn,Hn-i), Code{Hn) = (f„,Hn-l). 



(15) 
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Verifying the code just means verifying the equations 0). Before computing the 
values of In and by formulae the TSA checks the code Code(Tfn-i)- If 
the code is not OK (i.e. if TLn-i fy W(£n-i, W„_ 2 )), then the TSA concludes 
that the database is corrupted. 

Note that the codes will work only if the errors are occasional, i.e. are not 
caused intentionally by an attacker. For example, if an attacker modifies £„_i 
and Ti.n -2 and computes a new value for Hn-i using 0), then the error detec- 
tion procedure we described would not detect any changes because Code(7f„_i) 
is correct. Therefore if errors are occasional, any error which affects future com- 
putations is detected at the very next linkage step. Indeed, equations (0 show 
that if the value of TLn-i is correct and the request Xn is obtained correctly, 
then the values Tin can also be computed correctly. Any error which does 
not change Tln-i has no influence on future computations. 

Note also that, in principle, the TSA may also try to correct errors by using 
the codes recursively. This idea needs further research and is not discussed in 
this paper. 



6 Conclusions 

This paper indicates that practical problems related to the reliability of digi- 
tal time-stamping services are far from being completely solved. One of such 
problems is availability which has not been sufficiently addressed in scientific 
literature so far. We discussed the availability concerns of both the hash-and- 
sign and the linkage-based time-stamping systems. We showed how the use of 
multiple servers eliminates one of the most important threats in hash-and-sign 
time-stamping - the TSA key compromise. We pointed out a new weakness in 
linkage-based time-stamping - fault-sensitivity - which arises in its full strength 
in binary linking schemes EEE|. To overcome the fault-sensitivity concern, we 
proposed a new approach - fault-tolerant linking - which in our opinion deserves 
future research. 
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7 Appendix A: Linking Scheme 

For the readers interested in details, we present as an example the linking scheme 
construction given in j^. In Fig.^ we see a fragment of this scheme with only 
five vertices numbered with 0-4. This fragment is created using the following 
formulae: 



£o = h{xo), 

£2 = ^(2:2, £01) 

£3 = /l(x3, £oij £2) £23 = ^(£2 j£ 3) £0123 = ^(£oij £23) 

£4 = /i(x4,£oi23)- 

To define this linking scheme in general case, we use binary codes to enumerate 
linking items. For example, we denote L 2 with 010, i.e. with binary representa- 
tion of 2. The non-leaf vertices are numbered by using additional symbol *. For 
example, £23 is denoted as 01* because it represents (is a parent-vertex of) a 
pair of leaves {010,011}. For similar reasons, £0123 is represented by codeword 
0 * * because it represents a pair of vertices {00*, 01*}. Let bk-i ... 60 be binary 
representation of n. Then TLn-i is a set of codewords: 

Hn-i = {hk-ibk-2 ■ ■ • bi+iO * . . .* \ 0 < i < k, = 1 }. 
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^0123 




xo Xl X2 X 3 X4 

Fig. 4. The threaded-tree linking scheme |^. 



For example, in the scheme depicted in Fig. 0, we have Hs = {010,00*} = 
1^2, ^01 }. Let n' > n be another fc-bit integer with binary representation 
b'k-i • ■ • ^ 0 - Let m be the smallest index such that 

bk—l = 1; bk—2 = 2: ■ • ■ I 

i.e. bm-i ^ therefore, considering that n' > n, we know that bm-i = 0 

and b'^_i = 1. In that case, 

T'n.n' — T~(-n' — 1 U {Xyj'} U . . . bjYibm—1 • ■ • * ... * | 0 ^ i < 77t} . 

It can be easily proved that having two pairs 

(*^mi ; , A^) and (7^7712 , 1^2 



such that rii < m 2 < N then 'Tri 4 ,N and 'Hm^ together are sufficient to compute 
a one-way link from to ■ 
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Abstract. Some secret sharing schemes can be used with only cer- 
tain algebraic structures (for example fields). Group independent linear 
threshold sharing (GILTS) refers to a t out of n linear threshold secret 
sharing scheme that can be used with any finite abelian group. Although 
group independent secret sharing schemes have long existed, here we 
formally introduce the definition of group independent linear threshold 
sharing. Using tools developed by HH], we develop some new necessary 
conditions for a GILTS. In addition, we develop lower bounds concerning 
the amount of randomness required within a GILTS. 

keywords: Threshold secret sharing, Linear secret sharing, Randomness 
requirements. 



1 Introduction 

Secret sharing is important in the cases where a secret needs to be distributed 
over a set of n participants so that only authorized subsets of participants can 
recover the secret. A setting where the authorized sets consists of all subsets of 
t or more is called a t out of n threshold secret sharing scheme. Some threshold 
schemes are constructed for certain algebraic structures, such as fields, groups, 
semi-groups, etc. Shamir’s scheme ISH provides an efficient way to construct t 
out of n threshold sharing over a field. However, in many cases the setting of 
the secret space is not a field, for example in RSA |^. In some cases when 
the share space is not a field, it is possible to embed the secret within a field 
and share it using Shamir’s secret sharing scheme. The importance of thresh- 
old cryptography, especially in the context of threshold signature sharing was 
noted in |qiib| . Within a threshold signature scheme, the participants are not 
recovering the secret but a function of the secret (i.e. a signature). In such cases, 
one cannot embed the secret within a field, and must use the algebraic structure 
for which the secret space resides. When developing RSA threshold signature 
schemes an alternative to Shamir’s scheme must be used. Some of these alterna- 
tives rely on tailoring the scheme to this algebraic setting, some examples of this 

* This work was partially funded by NSF grant GCR-9508528 
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approach include Other alternatives introduced the concept of devel- 

oping threshold schemes which can be used over any finite abelian group, see 
P1T7| . Another alternative described how threshold sharing can be achieved 
over any finite group m, even non abelian groups, this can as well be used 
with abelian groups. The solutions in fniT) provided zero-knowledge threshold 
sharing. Thus these methods achieve zero-knowledge RSA threshold sharing. 
Further in 1241 . it has been noted that under certain conditions, the group in- 
dependent threshold scheme by Desmedt and Frankel [m, can be more efficient 
than Shoup’s threshold signature scheme |^. Consequently, the importance of 
threshold sharing over any finite abelian group has been discussed in detail. This 
paper will provide a formal definition of what we call group independent linear 
threshold secret sharing (GILTS), and build off the concepts and tools developed 
in Moreover, we establish bounds on the amount of randomness required 
by the dealer to create a t out of n group independent linear threshold scheme 
(GILTS). 

The organization of this paper is as follows: first we provide background and 
define a GILTS, we discuss the tools developed by Desmedt and Jajodia in PSI, 
we recall some of the work concerning dealer randomness within secret sharing 
schemes, and highlight those that impact our discussion, lastly we develop our 
lower bounds concerning randomness i? in a GILTS. In all cases, these bounds 
are lower bounds when working with groups K, of exponent 2. The implication 
is that if the scheme is a GILTS, and for example, we have determined that R 
must satisfy a lower bound when K, has exponent 2, then it must satisfy that 
lower bound if it is a GILTS. Of course, such logic would not be possible in the 
derivation of upper bounds. A point we wish to make is that once we adopt a 
group K, with a specific exponent then the R that we are referring to is R]c, the 
randomness needed in a < out of n threshold scheme of that given exponent. In 
an effort to simplify notation we will refer Rjc as R, when there is no ambiguity. 

2 Definitions and Notation 

Mmxn(Z) represents the set of all m by n matrices with integer entries. If A 
is a matrix, it’s transpose will be denoted by . A row (column) operation of 
type I is a row (column) interchange. A row (column) operation of type II is 
a row (column) multiplied by a nonzero constant. A row (column) operation of 
type III is a row (column) multiplied by a nonzero constant added to another 
row (column) leaving this result in the second row (column). The rank of a 
matrix is the number of linearly inde[endent rows within the matrix. If a;i . . . a;„ 
are vectors then a linear combination is where Xi G Z. GLn{Z) will 

denote the group with respect to matrix multiplication of all n x n nonsingular 
integer matrices (see 1221 ). All row vectors will be denoted as x. Golumn vectors 
will be denoted by x. The exponent of a group G is the smallest positive integer 
a such that 5 “ is the identity for all elements g € G 0 

If G is an additive group then the exponent is the smallest positive integer a such 
that ag = e for all g G G. 
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Definition 1. A perfect t out of n threshold scheme is such that given 

a secret k, any set of at least t participants can compute k, and any subset of 
t—1 or less participants gain no information about k. Ifsi,...,Sn represent the 
shares distributed to the n participants, then the security conditions are: 

(i) Pro6(k = k\si^ = . . . ,8^^ = SiJ = 1 

(a) Prob(k = = Sjj, . . . = Prob(k = k) 

The set P of all sets of t or more participants is called the access structure. 

Because every set of t or more participants contains a set of precisely t partici- 
pants, we will use Pq to represent those sets which contain exactly t participants. 

Definition 2. nm A linear secret sharing scheme is one in which for each set 
B = {ii, . ■ .it} oft participants, the secret k can be written as = 
where is a homomorphism from participant Pi. ’s share space Sij{+) to the 

keyspace IC{+). 



This can be algebraically represented as: 



t/'Bi.l ••• 'f’Bi.n 

t/'Ba,! 1/'B2,2 ••• V'Ba.ra 

■^Biri.l '0B|n.2 • • • V'Bin.rt 





Si 




'k 




32 


_ 


k 




_ _ 




_k_ 



where ifBij 'Sj represents V'Bij(sj)- 

There are many examples of threshold schemes which are linear, including 
fl7l3l27iTT) . Further, in schemes CZEI, the key space can be interpreted as a 
module with left scalars from a commutative ring. In the case of ini, and others, 
this ring is Z (the set of integers). Thus the scheme itself can be written in the 
form of a matrix, with integer entries. The number of rows of this matrix would 
be at least ("). 



2.1 Definition of a t out of n Group Independent Linear Threshold 
Sharing Scheme 

Definition 3. Let K = {/C|/C is a finite abelian group}. A group independent t 
out of n linear threshold scheme is an ordered pair (T,S) such that: 

(1) For each /C € K and for each i = 1, . . . ,n there corresponds a sharespace 

SiX- write Si = {Six '■ € K} and S = (5i, 52, . . . , 5„). 

(2) For all B G Fq and for all i there exists a function i^b.i such that for 
all /C G K, ipB,i '■ Six — *■ 1C is a homomorphism. Further, for all k G 1C, 
shares Si belonging to Six are distributed to participant Pi such that Vi? S Fq, 

^ ~ '^ieB '4’B,i{Si), 

(3) Probfk = = 'Si^_^) = Probfk = k), and 

(4) Prob{k = =Si,,... ,Si^ = SiJ = 1. 

We represent [i’B,i]i=i^...,n-Baro 
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Example 7. EDI A group independent 2 out of 3 threshold scheme. 

Let k represent an indeterminate for which once a group K, is chosen, will be 
replaced by the secret. Let ri and V 2 represent indeterminates for which once K, 
is fixed, will be selected randomly from /C to achieve Definitional (3) and (4). For 
all /C G K, define Six = ^ Six = /C x /C for i=2, 3. There are 3 sets which 
belong to Eq. Define V'{i. 2 },i(a;) = x , V'{i, 3 },i(a;) = x , V'{i. 2 }. 2 (a;i, X 2 ) = -xi , 
'*/'{ 2 . 3 }. 2 (a;i,a; 2 ) = X 2 t/’{i, 3 }. 3 (a^i, 2 ^ 2 ) = -x\ , and ii{ 2 ,?,}, 2 {^i,X 2 ) = -X 2 - ■ For 
i ^ B, B G Eq, define 'ipB,i{x) = 0. 

Shares will be distributed as follows: Pi has 1 subshare with si = k + ri, 
P 2 has 2 subshares with S 2 = [ri,k + r 2 ]^, and P 3 has 2 subshares with S 3 = 
[xi,r 2 ]'^ ■ Once a group K. is fixed, and the secret k is selected, assuming that the 
distribution of the secrets is uniform over /C, we randomly and independently 
select ri and T 2 from 1C. We satisfy Definition 0 due to the one-time pad. 

Of course there is a simpler representation of E so that lF[si, S 2 , 33 ]^ = [k,k, k]'^. 
That is. 



'1 


-1 0 


0 


0 ■ 




Si 




'k 


1 


0 0 


-1 


0 




S2 


= 


k 


0 


0 1 


0 


-1 




.^3_ 




k 



More examples are provided in the appendix. 



2.2 Our Assumption on Group Independent Linear Threshold 
Sharing 

For each set B, of t participants, and for each i G B, we would like ipB,i to 
be group independent. That is, the threshold scheme can be used with any 
finite abelian group such that the reconstruction algorithm is independent of 
the group. The only method known so far to achieve this is to have Six be 
the direct product (here Six denotes participant Pi’s share space and K. 
is the keyspace, is some positive integer), and to have 4’B,i be a row matrix 
(with Oi columns) of integers (i.e. Pi possesses subshares which belong to the 
keyspace). Such a threshold scheme can be described by an integer matrix E 
such that for each set B there corresponds a row tj^B oi E. That is, the row 
'4>b = [4> B ,i'4> B ,2 ■ ■ •'ipB,n\, where for each i, xj^B,i is a row vector of integers of 
length at- (see the above example as a reference). In general, whenever i ^ B, 
then ipB.i would be a row of zeros 0 

For each i, Si denotes the share distributed to Pi. This share consists of 
subshares, the subshare of participant Pi will be denoted by Sij and we will 
write Sij G Si. We will assume that all subshares are used in E. As Sij must be 
used in E there exists a row ip in E such that the coefficient in the column for 
Sij of row Ip is nonzero. 



There is no requirement that the integers in E be chosen from 1, —1, or 0. 
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2.3 The Basic Model 

Let If' describe a group independent t out of n threshold scheme. Then S' is a 
matrix belonging to (Z). Shares are distributed to the n participants 

(which we collectively represent by s) such that 



if's = k where k = [aik, 02 ^, ■ • ■ , , (1) 

and ai is either 0 or 1. When = 1, this row describes how the set of participants 
(those with nonzero entries) can compute k. When ai = 0, this describes a 
linear dependence between the subshares (those with nonzero entries) 0 We can 
represent if by [A 1 IA 2 I • • • |A„], where the submatrices Ai denote the blocks 
which pertain to participant Pi. Since there exists a reconstruction algorithm 
which is independent of the group, we see that for each B = {i\, . . . At} there 
exists a row “ipB of ^ such that: there are nonzero entries in those blocks which 
pertain to participants Pi.^^, . . . ,Pi^, for all other blocks the coefficients are zero, 
and xjjBS = k. Thus this row (call it the is such that aj = 1. Therefore 

3 A Representation of s 

The goal of this section is to provide equations which define s. Some of the 
material in this section is due to HSl- The following treatment is reminiscent 
of van Dijk ’s m Except that in the setting is a field, whereas we are 
working with finite abelian groups. The tools that can be used when working 
with a field are much broader than the tools that we can employ. For example, 
in a field all square matrices of full rank are nonsingular. Here, we are working 
with finite abelian groups. One must be careful, for an integer scalar applied 
to a group element represents repeated computations with the group element. 
Thus in our treatment, all scalars must be integers. We require that all matrices 
have integer entries. Further an invertible matrix, should satisfy that its inverse 
has integer entries. This restricts row/column operations on matrices to those of 
type I and/or III. It is permitted to perform row (column) operation of type II as 
long as we restrict ourselves to multiplying the row (column) by the scalar — 1. 
If a group K, is fixed then one will be permitted to multiply rows (columns) by 
other nonzero scalars. (For example, if the fixed group K, has a prime exponent, 
then the entries in W where entries are reduced modulo the exponent, belong 
to a field. Then one can use any nonzero field element as a scalar and perform 
row/column operations of type II.) Lastly, there will be occasions when we do 
use row operations of type II with integer scalars, but in those cases, the inverse 
of the matrix will not be relevant and will not be used. 

® The threshold scheme If' defines dependencies between shares. To rednce the amount 
of randomness needed, one may want to introduce additional dependencies in If". 
Such a dependency is introduced when an = 0. To illustrate this we provide two 
examples in the appendix, see Examples 2 and 3. 
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Many of our results for a GILTS (group independent linear threshold scheme) 
are developed using familiar mathematical tools like reduction to Smith-normal 
form, reduction to Gauss-Jordan form, etc. Often these tools are applied to the 
general representations of S', at other times these tools are applied to the scheme 
where a group JC has been adopted^ Note that any lower bound required by a 
group K, implies a lower bound for the GILTS. It is important to realize that 
the consequence of the implementation of these tools, for example reduction to 
Smith-normal form, may be different dependent on whether it is applied to the 
general If" or the result of adopting the group K.. We always use a subscript 
K, to indicate that the matrices will be reduced modulo the exponent of /C. 



3.1 Reduction to Smith-Normal Form 



An important tool will be the reduction to Smith-normal form on a matrix (for 
more information see ESEnni). Its use in this contest for secret sharing was first 
made in m, as far as we know. In this section, we survey the results given in 

HH]. 

Suppose that 'F is reduced to Smith-normal form. Then there exists U G 
GL{fi, Z) and V G GL{J2 such that U^V = D where 



di 0 0 0 • • • 0 

0 d2 0 • • • 0 



D = 



0 

0 ••• 



d; 0 • • • 0 
0 0 ••• 0 



0 ••• 0 0 ••• 0 



U and V are nonsingular matrices which have integer entries, the invariant fac- 
tors di of W are integers and satisfy di\di+i and I is the rank of W. Observe that 
U can be interpreted as a series of row operations of types I and/or III, and V 
can be interpreted as a series of column operations of type I and/or III that are 
performed on 'P to reduce it to D. Since the ring Z is a principal ideal domain, 
the invariant factors of W are unique, up to sign, so we may assume without loss 
of generality that all invariant factors are positive. 

Then Ud'VV~^s — Uk. Hence DV~^s = U\['VV~^s = Uk. Gonsider the 
first I rows of the column matrix Uk. Each row can be interpreted as an integer 
applied to k. It follows then that di|(X)j ^j^ij)- Since di\ 

(for i = 1, . . . , /), we can divide each of the first I rows by the corresponding di 
and still retain the form of an integer matrix. It follows then that we have 



Ilxl o-i — l) 



F-^s= [k 



dl 



,...,k 



^^i—1 CX-iUli 

dl 



0 ,..., 0 ]' 



In such cases we will use a subscript of JC, for example Wk. would represent the scheme 
<1' when group 1C has been adopted. 
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Set R = ^ Oi — Z, and let ri, . . . , be chosen uniformly at random from denote 
JC. Then 



V- 



' = [k 






di 






di 



’■ iT 



Therefore 



^=K[ 



Sf=l 7 Sf=l Cy-iUli 



di 



di 



,ri, 



rR? 



( 2 ) 



Represent V as V = where X is a ^ Oi x I matrix (which is formed by 

using the first I columns of V). Then s can be represented as 



s = C[fc,ri, . . . 



( 3 ) 



where C = 



X ■ 









. Consequently the total num- 



di ’ ’ di 

ber of subshares ^ can be expressed as i? + h i? is the number of random 
elements required, and I is the rank of 'R. 



3.2 Some Necessary Conditions of a GILTS 

Let r' = {A\A is a set of t — 1 participants } and let B' G F' . sb' represent all 
the (sub)shares used by the participants in B', and Cb' represent the corre- 
sponding rows of C used to form 'sb'- Further let Xb> represent the first column 
of Cb' and Yb' the remaining R columns of Cb'- i-e. Cb' = [Xb'\Ybi]. In [E| 
the authors established sb' = kXB> + Yb> [ri, . . . , rR\^ where kXB' represents a 
scalar operation of k with Xb'- 

Due to space limitations we omit many of the proofs, and will provide them in 
the final version of the paper. 

Theorem 4. If a GILTS satisfies Definition 0 then for all B' G F' , the rank of 
Cb' < R- 

Theorem 5. If a GILTS satisfies Definition]^ then for all B' G F' , rank of Cb' 
= rank of Yb> ■ 



Theorem 6. For each i = 1, . . . ,n, either the rank of Ai equals the size ofsi 
or participant Pi can reduce his share size to the rank of Ai . That is, participant 
Pi can form share s" i, which is of size equal to rank of Ai, and Pi can form a 
new submatrix A!f of rank equal to the rank of Ai such that AiSi = A'ls"i. 

For each i = 1, ... ,n, Cp^ denotes those rows of C which pertain to participant 
Pi. That is. Si = C'pjfc,ri, . . . ,7’^]'^. 

Theorem 7. For each i, either the rank of Cp^ equals ai or it is possible to 
replace Si by a share s'i whose size is equal to rank of Cp.. 
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The matrix Ai represents the manner in which participant Pi computes a partial 
secret using his subshares. The matrix Cp- represents the manner in which the 
distributor (or dealer) forms the subshares for participant Pi. What we see is 
that the rank of both matrices can be assumed to be equal, otherwise there exists 
some dependency either in the way Pi computes partial secrets or in the way 
the distributor forms the subshares. In this case, it is possible to reduce share 
size, which removes the dependency. (Hence an agreement in the ranks of these 
matrices). In it was noted by Desmedt et. al. that within the Desmedt- 
Frankel scheme IT7I . there exists dependencies in the matrix which described the 
manner in which the partial secret were computed. Hence the authors were able 
to reduce the share size by one-half. 

Definition 8. We say that Pi possesses independent subshares provided the 
share size is equal to the rank of Ai = rank of C p. 

Observe that all group independent t out of n threshold schemes can be 
reformed so that all participants possess independent subshares. Further observe 
that the participants may reform their subshares (as described in these theorems) 
and not affect other participants. That is, it is possible for a participant to do 
this independent of the participation of the others. The notion of independent 
subshares was defined for the general scheme, once a specific group is adopted, 
independent subshares may become dependent. 

4 Bounds on Randomness 

Randomness plays an important role in protecting information, it’s role within 
cryptography has been studied extensively. Randomness represents a compu- 
tational requirement. A large requirement of randomness represents a burden 
on computational resources. Further the generation of random elements can be 
expensive. There has been a considerable amount of investigation in the area 
of randomness required in secret sharing schemes, see In the 

cases of [til 1 2\ it was to develop randomness bounds for secret sharing schemes, 
that were not necessarily threshold sharing schemes. In PEI, bounds were de- 
veloped for multisecret sharing scheme and/or dynamic threshold scheme. The 
work that most closely impacts our discussion is |4l 1 4j where bounds were de- 
veloped for the amount of randomness required in ramp schemes and multiparty 
ramp schemes, because threshold schemes are special cases of ramp schemes. 

4.1 Some Background in Randomness Requirement — within Ramp 
Schemes 

Ramp schemes are useful for developing secure multi-party communications in a 
fault-tolerant model. A (c, t, n) ramp schemes in set 5” is a protocol to distribute 
a secret s chosen in set S among a set of n participants V in such a way that: 
(1) sets of cardinality greater than or equal to t can compute the secret; (2) sets 
of cardinality less than or equal to c have no information on s; and (3) sets of 
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cardinality greater than c but less than t may have some information about s. 
They described the requirements using entropy 

1. for all A C 7^ with \A\ > t it holds that H{S\A) = 0 

2. for all A C 7^ with |A| < c it holds that H{S\A) = H{S) 

Note: If c = t + 1, then a (c, t, n) ramp scheme is a {t, n) threshold scheme. 

Let if be a ramp scheme and Us be the probability distribution on S. Blundo, 
DeSantis, and Vaccaro defined the dealer’s randomness as 

fj.r{c,t,n,ns,S) = H{Pi,P 2, . . -,Pn\S) 

and in g] derived the following. 

Theorem 9. ^ Let the number of secrets &e IS"! = 2“^ > n + t — c for some 
positive V. The optimal number of random bits to set up a (c,t,n) ramp scheme 
is equal to 

fir(c,t,n,Us,S) = log 2 \S\. 

t — c 

Here Us denotes the uniform probability distribution on the set of secrets S. 
Notice that Blundo et. al. are discussing the optimal number of random bits, i.e. 
a lower bound on the amount of random bits needed. When we discuss R we are 
discussing the amount of random elements. That is, to compare our work with 
their bound, we must compare R ■ log 2 IS”! with log 2 IS”], or compare R with 
This comparison only makes sense when talking about t out of n threshold 
schemes. To make a comparison, we set t = c + 1. Thus R > — t — 1. 

Further Blundo, DeSantis, and Vaccaro ’s randomness bound can be interpreted 
as: 

Theorem 10. n The number of random bits used in a (t, n) threshold scheme 
must be {t — 1) log 2 IS”]. 

5 Bounds on Randomness in a GILTS 

The bound derived by Blundo, DeSantis, and Vaccaro showed that R > t — 1 
show that Shamir’s scheme is optimal, in the sense that it requires the minimum 
amount of randomness generated by the dealer. 

Any lower bound on randomness in a threshold sharing scheme over a field 
is a lower bound of randomness in a GILTS. Thus i? > t — I in a GILTS. In 
the 2 out of 3 GILTS described in Example 1, 7? = 2 which is greater than 
t — 1. In the 2 out of 4 GILTS described in Example 2, R = 2 which is also 
greater than t—1. In both of these examples we will find that a minimal amount 
of randomness will be required by the dealer, and so we see that the Blundo, 
DeSantis, and Vaccaro randomness lower bound does not effectively state the 
needed randomness within a GILTS. 

In the GILTS described within \n\, the amount of randomness R satisfies 
R > n{t — 1). So we see a great difference between the Blundo et. al. bound 
and the randomness needed by the scheme in H3- We now derive bounds which 
better describe the randomness required in a GILTS. 
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Theorem 11. If 'P is a t out of n group independent linear threshold scheme, 
with independent shares, then for all i the randomness required satisfies R > 
at + {t — 2). 



Of course every participant must be given a share. Hence |ai| > 1. So we see 
that R> 1 + (t — 2) = t—1 which is the same bound, as Blundo, DeSantis, and 
Vaccaro had derived. Therefore if any participant is given 2 or more subshares, 
our bound on the amount of randomness is an improvement on this bound. Note 
that any bounds concerning participant share size and total share size ^ 
provide three bounds: one concerning the amount of information that needs to 
be passed from dealer to participant, two, memory requirements for the partic- 
ipants, and lastly, they provide a lower bound on randomness required. Some 
examples concerning constructing bounds on share size include |3I5I1 Oil 1 127l33j . 

Recall that we have used R' to denote all sets of participants of cardinality 
t—1. For each set H C {Pi, . . . P„}, let denote the rank of Ca- Further let Ua 
and Va to denote the matrices belonging to GL{J2p.^a GL{R+1, Z), 

respectively, which reduces Ca to Smith-normal form. Observe that UaCa has 
been reduced so that the only nonzero rows occur in the first I a rows. Represent 
UaCa by 



UaCa = [Cl, A,- A, 0,-. -A' 



( 4 ) 



Define 

KNOW{A) = \,A,a • w) : a, e Z}. (5) 

i=l 

where to = [k,ri, . . . . KNOW {A) can be thought of as the span of the 

“information” collectively held by the participants in 

Whenever a group K. is adopted to be used within the threshold scheme, we 
will assume that we would perform operations (Smith-normal form reduction, 
etc.) using the group /C. One effect is that entries would be reduced modulo the 
exponent of /C. However there may be other effects, for example the exponent 
of the group maybe prime and so all entries of the matrices belong to a field. 
The consequence is that we can use row/column operations of type II, and all 
square matrices of full rank are units. If K, is the group adopted, then we will 
use U a,k and Va,k which place Ca,k into Smith-normal form. We will also use 
KNOW{A,JC) to denote the knowledge given by the shares of A when working 
with group 1C. 



Theorem 12. Let R be a GILTS. For all finite abelian groups K, and Ai, A 2 G 
F' with Hi yf H 2 KNOW{Ai,JC) KNOW{A 2 ,JC). 



Theorem 13. For all GILTS the randomness R required satisfies > 



® KNOW (H) is a subgroup of the free abelian group generated by < fc, ri, . . . , r_R > 
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Proof. Let /C be a finite abelian group with exponent 2. For all B' , B" € P' with 
B' ^ B" we have KNOW{B' ,JC) ^ KNOW{B" ,JC). Since KNOW{B' ,JC) is 
formed from Cb'k we see that Ub',k.Cb'X ^ Ub"X^b",k- Observe that each 
Ub'x^b'X i® ^ Yhi^B' ^ (-^ + 1) matrix. 0 However the rank of Cb'X i® 
< R. Therefore 

Tb'X 



Ub'xCb'x = 



0 



0 



where Tb'x is a i? x {R+ 1) matrix. Further, for B' , B" € P', with B' ^ B” , we 
have Tb'x ^ Tb"x- Since entries in a Tb'x consist of only 0 or I’s, there are 

exactly to determine a i? x i?+ 1 matrix. As there are elements 

in /o we conclude 



Theorem 14. For all GILTS the randomness R satisfies 

R+^> y^log2(l + 

Theorem d is an improvement on the Blundo et.al. bound whenever 2* < 

1 + ■ Notice that there are infinitely many t and n which satisfy the above 

inequality. For example, the above inequality is true whenever t < yPi. 

Suppose is a GILTS, such that every participant had independent sub- 
shares. Despite the fact that everyone possesses independent subshares, once a 
group is adopted, shares may become dependent or shares may become irrelevant 
(no longer needed to compute the secret). A subshare will be called degenerate 
if the subshare is not used to compute k. In Theorem El and Theorem 0 we 
described how to generate independent subshares. If a share is degenerate we 
assume the participant will throw it away. In some instances it is preferred that 
a set of participants belonging to the access structure can compute the secret 
key k but also have the ability to compute all other shares. That is, they would 
together possess all information within the system. We will formally describe the 
requirements for this model. 

Model 5.1 A t out of n GILTS is ealled “all-revealing” provided for any finite 
abelian group K, and for all k G 1C 

(1) Pro&(fc|sii, ■ • ■ = Prob{k) 

( 2 ) Pro6(fc|sii, . • ■ )®it) = 1 

(3) Prob{sj\sij^, . . . = 1 for all j, where Sj represents the nondegenerate 

subshares belonging to Pj used in the threshold scheme when working with group 

K.. 

® ai,K represents the number of subshares participant uses within the threshold scheme 
I'k.. Thus Uix < ai. Further Uix is the rank of Aix- 
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Observe that when the group K, has exponent 2, then all the invariant factors 
in the reduced Cjc are 1. We see that in the all-revealing model, all sets belonging 
to r cannot only determine all shares but compute all random elements. That is, 
they can determine for z = 1, . . . , i?. The following illustrates that all-revealing 
schemes naturally exist. 

Theorem 15. Every n — 1 out of n GILTS is all-revealing. 

As we will soon see, the model for all-revealing schemes provides the tools to 
improve the result given by Theorem d 

5.1 Some Observations Concerning All-Revealing Schemes when /C 
Has Exponent 2 

Consider the secret sharing scheme Tx, where we adopt a group /C with exponent 
2. For each B' S T' , let Lb' denote the matrix belonging to GL{J2p.^b' ^2) 
such that Lb'Cb'X Gauss Jordan form. Recall that Cb'X rank < R. 
The number of nonzero rows is < R. Observe that for different B' G T' the 
number of rows in Lb'Cb'x '^aay differ. To make effective comparison between 
Lb'Cb'X ^>2d Lb"Cb"x precisely rows of Lb'Cb< x, 

if Lb'Cb'X lacks that many rows insert enough zero rows. If Lb'Cb'x has more 
than R-k 1 rows delete enough zero rows to achieve a matrix with i?-f 1 rows. Al- 
though we may have formed a new matrix, the nonzero rows are the same, we will 
use Ti{Lb'Cb' x) denote this new matrix. Second, note that Ti(Lb>Cb' x) is 

still in Gauss Jordan form. To achieve an even more consistent representation 
between all the Ti{Lb>Cb' x) for different B\ we perform one more manipula- 
tion. For each nonzero row z in Ti{Lb'Cb' x) if the leading nonzero term in 
z occurs in column i interchange rows so that z is rotated to row i. We use 
T 2 {Lb'Cb' x) to represent this matrix. 

For each B' G T', let us represent each row i of T2{Lb'Cb' x) hy for 

z = 1, . . . ,R-|- 1. Then T2{Lb'Cb'x) = where each is 

a (R-k l)-tuple. Therefore an equivalent representation of KNOW{B',IC) is : 

R 

KNOW{B', 1C) = 9,{f3,,B' -to) : Z2}. (6) 

i^O 

That is, it is trivial to show that Definition ® is equivalent to Definition di. 
Secondly, observe that ^ ■ to)- 

Denote 0b'{O) — where 6 = [0g, . • ■ ,^r]- Observe that 0b'{O) 

is a R -k 1 tuple, and that for distinct B' G E' we get distinct 0b'{O). For each 
B' G r' , we have 0b'{O) = where £,j is some linear combination 

of diS. Further, 9i cannot be used in the linear combination that represents 
whenever i > j. This follows from our construction of T 2 {Lb'Cb' x)- 

Define Aq = {0B'{S) ■ B' G E' and ^0 7^ ^*o}- Inductively, for z = 1, . . . , R 
we define At = {0 b'{O) : B' G E' , ^0 = 9q, ■ ■ ■ ,^i-i = Oi-i and yf 6>J. 
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Lemma 16. For i = 0, . . . , R, 

Ivl.l < 2\ 

Theorem 17. For all GILTS (group independent linear threshold schemes) 
which satisfy the all-revealing model, the amount of randomness R satisfies 

Proof. Let /C be a group of exponent 2. What we will establish is that the 
amount of randomness required in such a group exceeds log 2 (l + this 

will establish the result. 

Recall that for each B' G F' we have defined &b'{0) such that for distinct 
B' we get distinct 0b'{O). Therefore we see that \{0B'{d) ■ B' G T'}| > • 

Some observations: 

— ior i,j = Q, ... ,R, i ^ j we see that by definition Ai n Aj = 0, and 

— for each 0b'{O) = (^o, ■ • ■ , (,r), if there 9i is used in some linear combination 
for £^j, then j > i. 

The second observation implies that each 0b'{O) belongs to some Ai (where 
0 < i < i?). This follows from the argument that if 0b'{O) does not belong 
to Ai for all i, then = 9q, = 9i,. . . = (^R- Consequently the original 

matrix Lb'Cb' has rank i?+ 1, which of course implies that Cb' has rank i?+ 1, 
contradicting Theorem ^ 

The first observation implies that IUiLo^*l ~ Silo 1^*1- Using Lemma ITU 
we see that l^»l — l + 2 + -- - + 2^ = 2^+^ — 1. Now using both ob- 
servations we see that \{0b'{9) ■ B' G T'}| < l^»l = 2^+^ — 1. Hence 

< 2^+1 - 1. Therefore, 2^+^ > 1 -k J . 

5.2 Remarks 

Let us say that if a GILTS requires the minimal amount of randomness, then 
it is efficient. Observe that the 2 out of 3 GILTS described in Example 1 is all- 
revealing, and it is efficient (requires a minimal amount of randomness) in that 
R = 2. This last remark follows from the fact that this scheme possess a minimal 
amount of subshares. (This is due to a result in |^, which implies that for a 2 out 
of n scheme, ^ > nlog 2 n), and Theorem I I 1 1 which implies R > Oi (t — 2). 

Thus for all 2 out of 3 schemes R> 2. Observe that Theorem El fails to give us 
the true minimal bound, since i? -k 1 > log 2 (l -k (^)) = 2. 

The 2 out of 4 GILTS given in Example 3 is also an example of an efficient 
GILTS (minimal amount of randomness required), again R = 2. This follows 
from the same argument as above. First ^ a , > 41og2 4 = 8, by 0. Secondly, 
by Theorem!^ i? > -k (t — 2) = 2. It is trivial to show that this scheme is 
all-revealing. In this example we find that Theorem 1 1 Yl provides a tight bound 
for the 2 out of 4 schemes. That is i?-k 1 > log 2 (l -k (^)) > 2. That is, integer 
i? -k 1 must exceed 2, hence R> 2. 
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6 Conclusion 

We have formalized the definition of group independent linear threshold sharing 
and introduced new lower bounds for randomness in a GILTS. In addition, we 
have provided some examples of cases when these bounds would be tight. We still 
see that there exists an enormous gap between our bounds on randomness and 

the randomness required by the scheme That is, R+1 > y^log 2 (l + 

and in im we have R> n(t — 1). Future work may include examining this gap. 
We have also introduced randomness bounds, which incorporate share size. That 
is. Theorem mi It would be worthwhile to develop bounds on share size within a 
GILTS. That is, the bounds on 2 out of n threshold schemes within |2j, helped us 
to show that Examples 1 and 3 were efficient. Lastly, we have found that both of 
these efficient GILTS were all-revealing, is it true that all efficient GILTS must 
be all-revealing? That is, if a scheme requires a minimal amount of randomness 
does this imply that it must be all-revealing? 
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7 Appendix 

Example 2. cni Consider the following 2 out of 4 scheme, such that each partic- 
ipant is given 2 shares. Participant Pi is given share Si such that sn and Si 2 are 
defined by the following table. 



Sii 


S12 


S21 


S22 


S31 


S32 


S41 


S42 


k — V 2 


k — T\ 


k — V 2 


ri 


C 2 


k- T 3 


r 2 


r 3 



For all /C G K, let Stx = k represents the secret, ri, r 2 , ra represent three 
random elements that will be chosen from the finite abelian group uniformly 
random. Here —r represents the inverse of r. Each row represents one of the ( 2 ) 
sets B (sets of cardinality 2) and indicates how that set can compute the secret. 
The corresponding will be 



10001000 

10000010 

00101000 

00100010 

01010000 

00000101 



So we have = [fc, fc, . . . , kY' , and '^ai = 8. 



Example 3. [SI 

One can easily see that to have two distinct random elements r 2 and ra is 
not necessary. We can choose ri = ra and still achieve Definition 0 



Sii 


S12 


S21 


S22 


S31 


S32 


S41 


S42 


k — T 2 


k — ri 


k — V 2 


ri 


r 2 


k — ri 


T2 


ri 



It can easily be established that this scheme is as secure as the first example. The 
share size is the same as before, but to create a more efficient scheme (i.e. reduce 
the amount of randomness) , we have increased the rank of W (this was done by 
introducing an additional dependency between shares). The corresponding W 
will be 



E = 



1000100 0 
1000001 0 
0010100 0 
0010001 0 
0101000 0 
0000010 1 
0001000-1 



where Es = [k, k, k, k, k, k, 0]^. This last row of E is needed. This row infers that 
the second share of P 2 is the same as the second share of P 4 . (i.e. ri = r^.) 
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Abstract. Digital signature is a breakthrough of modern cryptographic 
systems. A {t, n) threshold digital signature allows every set of cardinality 
t or more (out-of n) co-signers to authenticate a message. In almost all 
existing threshold digital signatures the threshold parameter t is fixed. 
There are applications, however, in which the threshold parameter needs 
to be changed from time to time. This paper considers such a scenario, 
in order to discuss relevant problems, and proposes a model that solves 
the related problems. 



1 Introduction 

In democratic organizations a majority of members rules. So if an organization 
has n members, any collection of t, where t > + 1, has to have the power 

to act on behalf of the organization. Examples of such organizations include 
legislative bodies governing countries (parliaments, senates, etc.), cities (city 
councils), companies and other democratic institutions. Cryptography developed 
a (t, n) threshold digital signature which can be generated by any group of t 
members. The fact that a (democratic) group successfully generated a signature 
means that a majority of its members agreed on the form of the signed message 
(that may be a piece of legislation). In general, (t, n) threshold signature scheme 
allows a group of n participants to collectively hold a group secret key. Each 
participant, using his share from the secret key, can generate a partial signature 
such that 

— any collection of t or more partial signatures enables the group to compute 
a valid signature of the group, 

— any collection of t — 1 or less partial signatures is not enough to yield the 
valid group signature. 

Additionally, we require that the knowledge of partial signatures does not allow 
either the group secret or the shares of the group secret held by participants to 
be recovered. The group signature is computed 

1. with no help of a combiner - a collection of currently active participants 
pool their partial signatures and recover collectively the group signature 
(each active participant acts as a combiner), 
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2. with the help of a combiner - a collection of active participants submit their 
partial signatures to a trusted combiner, who performs the computation for 
them and generates the group signature. 

Threshold signatures must apply secret sharing schemes. It is worth noting that 
a threshold secret sharing scheme is typically one-time or once an authorised set 
of participants has reconstructed the secret, both the secret and all shares have 
become known to everyone within the group. For a threshold signature, however, 
a collection of participants reveal their partial signatures without compromising 
their shares so the signature scheme can be used a (polynomial) number of times. 

The concept of group signatures was invented by Boyd 0 who demonstrated 
how to adapt the RSA system to implement a (2, 2) multisignature and a (2, n) 
threshold RSA signature. A general (t,n) threshold RSA signature scheme has 
been proposed by Desmedt and Frankel Implementations of threshold and 
multisignature schemes based on the ElGamal and its variants (the DSS signa- 
ture schemes) were the subject of extensive investigations (see, for example, [TTIj . 
H3), nn, na and uni). 

In general, a {t, n) threshold signature is set up by a trusted dealer or key 
authentication center (KAC), who generates the secret key K, designs a (t,n) 
threshold secret sharing scheme and distributes the shares of the secret key 
among the participants. Note that the underlying secret sharing is static so the 
threshold parameter t is fixed for all signatures generated by the scheme. 

There are, however, some applications for which the threshold parameter of 
the signature needs to be changed from time to time m For example, consider 
a legislative body (parliament) with 100 members. If all members are present, 
then any majority with at least 51 is able to pass a bill. To support the voting 
on the bill by using cryptography in these circumstances, it is enough to design 
a (51, 100) threshold signature. In practice, however, the presence of the whole 
house is a rare event and most of the time the number of members present is 
smaller than 100. There is also a lower bound imposed on the number of members 
below which all bills passed do not have any legal significance. The quorum is 
the smallest group of members whose decisions are still legally binding. In our 
example the cardinality of the smallest quorum is 51. So if there are 51 sitting 
members voting on a bill, then the bill becomes a law if there are 26 members 
voting for it. To support this scenario cryptographically, one would need to 
implement a (26,51) threshold signature. It is obvious by now that to enable 
members of parliament to generate valid signatures, the threshold parameter 
must be adjusted depending on the number of currently sitting members. The 
range of possible thresholds spans from 26 to 51. 

Hence, we would need a dynamic {ti,ni) threshold signature scheme which 
allows us to transfer signing power from a set of t members to a set of ti (t > ti) 
members. Note that, the transfer of power must be temporary and applicable 
for signing a single message, and must not be useful for signing any other mes- 
sage. Thus, a solution which allows us to go from a {t, n) threshold scheme to 
a (ti,ni) threshold scheme (such as, [Z|) on the underlying threshold scheme of 
the threshold signature scheme is not acceptable. 
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1.1 The Scenario 

Consider a parliament with n members. A quorum must have at least + 1 
members to result in legally binding proceedings. Sessions are typically run by 
a chair-person or a committee and there may also be secretaries and even an 
audience. The secretaries and audience are playing a passive role. The chair- 
person puts forward the motion (a proposed bill, or simply the message) for 
voting. The voting can be conducted in two ways, either by casting public or 
secret ballot. Public voting is in many cases considered to be undemocratic as 
the voters may be subject to an undue pressure (such as the party discipline). 
Secret ballot is preferred in these situations where the way participants have 
voted is to remain secret. The ballot in the voting is binary “yes/no” - the 
members may agree or disagree with the proposed motion. The motion is passed 
if the number of “Yes” votes is bigger than [^J, where rii is the number of 
members present in the session; otherwise it is rejected. The result, whatever it 
is, will be recorded by secretaries and the documentation keeps track of events 
in sessions. Note that, the motion should not be known to participants prior to 
the beginning of the session. Otherwise participants may want the motion to be 
delayed by walking out of the session and making a quorum unachievable. 



1.2 Requirements 

The acceptance or rejection of a motion in a democratic group with n partici- 
pants can be supported by an electronic system based on a threshold signature 
which needs to satisfy the following conditions. 

1. Initially, we need to design a ([^J -I- l,n) threshold signature scheme. In 

order to sign a message during the i-th session with the presence of rii par- 
ticipants {ui > -I- I), the power to sign a message must be transfered to 

ti participants {ti = -1-1), where ti is a new threshold. 

2. Transfer of the power to sign must be 

— for a single message only - partial signatures generated by active partic- 
ipants during the i-th session, do not compromise security of threshold 
signatures generated during other sessions (and vice versa), 

— for a duration of the i-th session only - the validity of partial signatures 
generated during the i-th session is limited for the duration of the session. 
This is to say that “if a message is not signed at the i-th session (because 
the majority has not agreed), then later the message cannot be signed 
(even if the circumstances have dramatically changed).” To force this 
requirement, we let participants generate valid group signatures only 
with the help of a trusted combiner. Note that the chair-person can play 
the role of the combiner. 

3. Voting for/ against the motion is to be conducted using a secret ballot so 
nobody (currently active participants and other participants) is able to dis- 
cover how the participants voted apart from the knowledge that the motion 
has been successfully moved (and the corresponding message signed) or that 
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the motion failed. The trusted combiner is, however, allowed to know how 
the participants voted. 

4. Any minority of dishonest participants cannot create bogus sessions. This is 
another reason why we use the trusted combiner. 

2 The Model 

The necessary cryptographic components include the following 

— A (t, n) threshold signature - this is the basic signature scheme to be used 

repeatedly for all consecutive sessions. The parameter t = + 1 specifies 

the size of a smallest quorum which still has the power to run legally binding 
sessions. 

— A cryptographic protocol used to distribute partial signatures of a message 

(blinded by the combiner) from the current quorum with rii participants 
into a threshold scheme. The resulting one-time threshold signature 

is unblinded - the message which corresponds to the threshold signature is 
known. 

~ The combiner must be active in all legally binding sessions. To give the com- 
biner the required power, the secret key K is split into two parts (ATi, ^2) 
such that K = K\ + K2- The first part Ki is distributed among the par- 
ticipants and the second one K2 is assigned to the combiner. The valid 
signature can be generated only if both a majority of the current quorum 
and the combiner collaborate. One may argue that assigning a portion of the 
secret key to the combiner is not reasonable - what happens if the combiner 
loses the key? This problem can be solved by putting a committee in place 
of a single combiner and distributing shares of K2 among the members of 
the committee. 

— Generation of a signature for a motion can be blocked by the combiner who 
may refuse to collaborate in signing. The combiner later may claim that there 
was not enough support for the motion. To avoid these problems, we assume 
that the participants are voting for or against the motion by signing either 
“yes” message M or “no” message M'. Hence, at the end of the session one 
and only one of these messages will be signed, which indicates the decision 
of the members (not the combiner) regarding the motion. 

3 Components of the System 

This section considers the basic tools which we will use for the implementation 

of our system. 

3.1 Communication Channel 

Each member and the combiner is connected to a common broadcast medium 

with the property that messages sent to the channel instantly reach every party 
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connected to it. We assume that the broadcast channel is public, that is, every- 
body can listen to all information communicated via the channel, but cannot 
modify them. We assume also there exists private channels between every pair 
of members, with the property that nobody neither can listen to nor can modify 
the messages sent via these private channels. 

3.2 Threshold Scheme 

Threshold secret sharing schemes were introduced in HHE]- Due to its nice alge- 
braic structure, the Shamir scheme m is frequently applied in society-oriented 
cryptographic systems. The Shamir (t,n) threshold scheme is based on polyno- 
mial interpolation. Let the secret be an element of a finite field, that is, K cZp, 
where p is a prime number. Shamir suggests the following algorithm for con- 
structing a (t, n) threshold scheme. 

1. The dealer, T>, chooses n distinct and non-zero elements of Zp, denoted 
xi, . . . ,Xn and sends Xi to Pi via a public channel. 

2. V secretly chooses (independently at random) t — 1 elements of Zp, denoted 
ai, . . . , Ot-i and forms the polynomial 



t-i 

f{x) = K ^y^aix\ 

3. For 1 < f < n, the dealer computes Si, where 

Si = f{xi) (modp). 

4. T> sends (via private channel) share Si to participant Pi] i = 1, . . . , n. 

At the reconstruction phase of the secret, every set of at least t participants 
can apply the Lagrange interpolation formula to reconstruct the polynomial and 
hence recover the secret. Alternatively, participants could give their shares to a 
trusted authority, called the combiner, to perform the computation for them. 



3.3 Threshold Signature 

The first solution for democratic systems was proposed by Desmedt and King 
0 and it was based on the RSA threshold signature scheme. In Li, Hwang 
and Lee have argued that a (t,n) threshold signature scheme does not only 
require that less than t users must not be able to generate a correct signature, 
but also a particular set of t participants should not be forged by another set 
of t participants. They also pointed out that the Desmedt-Frankel ’s 0 (t,n) 
threshold RSA signature is subject to the conspiracy attack. That is, if t (or more) 
participants conspire, then the group secret key and all participants’ shares will 
be revealed. Once the shares are revealed, the set of collaborating participants 
can impersonate another set of shareholders to sign a message without holding 
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the responsibility of the signatures, and can deny having signed a message though 
in fact they have signed it. 

This is a common shortcoming of almost all threshold signature schemes. We 
design our system using an ElGamal-type threshold signature scheme that re- 
moves this shortcoming. In our system, even if all members collaborate, they can 
get Ki which is useless without knowing K 2 - On the other hand, the combiner 
(or the members of committee) cannot obtain anything more than K 2 - That is, 
the group secret key can be recovered if and only if the participants and the 
combiner (the committee members) collaborate. 

3.4 Verifiable Transfer of Signature Shares 

The main assumption of threshold schemes is that the dealer is trustworthy. 
In our model, the transfer of power to sign a message requires that a subset of 
members (with cardinality equal to or greater than t) applies a threshold scheme 
and distributes its partial signatures on the motion among all present members 
in a session. Since the honesty of members is not guaranteed, the correctness 
of the shares given to each member could be questionable. A solution to these 
sorts of problems has been discussed in verifiable secret sharing schemes (see, for 
example, 0, ca, 0)- 

Verifiable secret sharing schemes allow the honest participants to ensure that 
their shares are correct (related to the secret) and thus in the secret reconstruc- 
tion phase they will recover the original secret. Stadler m proposed a publicly 
verifiable secret sharing scheme in which not only the participants but also an 
outsider can verify that the shares are correctly distributed. The underlying ver- 
ifiable secret sharing scheme which we will use in our implementation is due to 
Pedersen (HI- We will propose a protocol that convinces the participants, the 
combiner, and even outsiders about the correctness of the signature and relevant 
shares. 

4 Implementation 

In this section, we implement the proposed democratic scheme that satisfies the 
requirements of its corresponding real-life application. 

4.1 Initialization 

We employ the Harn m (t, n) threshold digital signature. This system utilises 
the Shamir threshold scheme and a modified version of the ElGamal signature. A 
dealer or trusted key authentication centre (KAG) selects the system parameters 
as, 

— p, a prime modulus, where 2®^^ < p < 2^^^; 

— q, a prime divisor of p — 1, where 2^®® < q < 

— a random integer K 2 G Zg as the secret key of the combiner (or a committee 
that plays the role of combiner); 
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— compute Ki, such that K = K\ + K2 (mod q), where K is the secret key 
associated with the organization; 

— a polynomial f{x) = Ki + a\x+ ■ • • + mod q, where K\ is the secret 

associated with the members and Oi are random integers in 

— g = (mod p), where h € GF{p) is a primitive element {g is an 

element of order q in GF(p)); 

The parameters p, q and g are public, but K, K\, K2, and ai, , at-i are secret 
values. 

The KAC uses the Shamir {t, n) threshold scheme to share the secret Ki 
among the set V = of the group members. That is, it assigns 

Si = f{xi) to participant (1 < f < n). It assigns K2 to the combiner. For 
simplicity, we assume the system has a single combiner. It is not difficult to 
show how it works if a committee runs the sessions. The KAC also publishes 
k = g^ mod p as the group public key and Ui = mod p as the public key 
of participant Pi {1 < i < n). 



4.2 Opening a Session 

The combiner/chair-person sends an announcement via the public communica- 
tion channel. Those participants who want to take part in the session will respond 
to the announcement. If the number of participants is large enough (i.e., satisfies 
the quorum) then the session can be started. Note that, at this stage everyone 
knows the identity of all other members present in the session. 

A common practice in generating digital signatures is to apply an appropriate 
hash function on the message and then sign the hash value. Fundamental 
characteristics of all such hash functions are that they are one-way and collision 
free. Obviously, knowing the hash value of a message gives no knowledge about 
the message itself. 

Let {Pi, P 2 , . . . , Pm} be the set of present members in the i-th session [ui > 
t). The combiner/chair-person, who is supposed to collect the member’s vote to 
motion rrii, applies the hash function on the motion and sends the hash value of 
the motion. Mi, via the communication channel. 



4.3 Transfer of Signature Shares 

In order to sign the message Mi, each participant Pi of an authorised set A 
(|A| > t) chooses a random value r' (I < r' < g — 1) and computes a public 
value Xi, as 

Xi = g^' (mod p) 

and makes Xi publicly available through the broadcast channel. The combiner 
also chooses a random value r(. (I < r(, < g — I) and computes a public value Xc, 
as 

Xc = g^‘^ (mod p) 
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Once Tc and all are available, collaborating participants of the set A compute, 

r = Tc Ti (mod p) . 

Pi&A 



Participant Pi G A uses his secret f{xi) and his chosen one-time random r', to 
sign the message Mi as. 



Ci = f{xi) X MiX 



( \ 




Xi X r 



(mod q). 



In order to distribute partial signatures among the members present such that 
every subset of cardinality U (out-of Ui members present in the i-th session) is 
able to reconstruct the signature, participant Pi generates a polynomial fi{x) = 
Ui + anx + • • • + mod q, where are random integers in Then 

Pi publishes ( 7 *^% < (. < ti — 1) and privately sends shares Si^ = fi{xj) 

(1 < j < rii) to all present participants in the i-th session {Pi keeps his share, 
Si^). Two verifications can be done at this stage: 

1. Every participant, Pj, can verify that the share Si^ given by Pi is in fact 
relevant to the partial signature Ui, by using 



ti-i 

X Y[ (mod q). 

i=i 



2. Simultaneously, every participant, the combiner, and even an outsider can 
verify the correctness of the partial signature of participant Pi using. 






n. 



i GA. xx —xx 
r,. ^ 3 

•■^3 



= r[ X g"^' (mod p) . 



If the equation holds true, the partial signature (ri,Ui) of message Mi gen- 
erated by participant Pi is valid. 

Note that, in spite of the verifiability of the partial signatures, nobody can get 
any information about the partial signatures and therefore about the signature 
itself (considering the fact that discrete logarithm is a hard problem) . Also note 
that dishonest members can be detected and removed from the system at this 
stage. 



4.4 Signing Motion Messages 

Once all partial signatures of an authorised set are distributed and verified, the 
combiner discloses the messages rm and m' (note that partial signatures are 
generated as discussed previously for two yes and no messages). 
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Active participants are making up their minds as to which motion they sup- 
port - they have to be either for or against the motion. Abstention is not an 
option. There is always a motion that has attracted the support of at least 
ti members present in the session. They submit their partial signatures to the 
combiner and thus they collectively compute the valid signature for either the 
message Mi or M-. 

In particular, participant Pi keeps a share Si^ = fi{xi) corresponding to the 
partial signature (Ji generated by himself. Pi also has received at least t — 1 shares 
from other co-signers relevant to partial signatures aj (1 < j < t, j ^i). If Pi 
adds all these shares (computation is done modulo q), then the resulting value 
is his share from the secret X)i=i (according to the (-I-, -|-)-homomorphism 
property of Shamir’s threshold scheme -see for further details). That is, every 
participant’s share is derived from the following polynomial 

F{x) = Aq -|- AiX J- A 2 X^ -I- • ■ ■ -I- At^—iX^' ^ (mod q) 

when Aq = X^i=i signature of Mi corresponding to the partial secret 

All, and Ai (1 < i < ti — 1) are random integers in Zg. 

Each member transmits his share (on messages Mi or M' as “Yes” or “No” 
vote) to the combiner. The combiner either is able to generate the valid signature 
of Mi (if at least ti partial signatures are available) or to generate the valid 
signature of the message M[ (if at least ti partial signatures of M' are available). 
For example, if a majority of members present have given their votes to the 
motion rUi, the combiner then uses his secret K 2 and his chosen one-time random 
r(,, to sign the message Mi as, 

ac = Mi X K 2 — X r (mod q). 

Finally, the group signature on the message Mi can be computed using 

a — ac+ cTi (mod q) . 

Pie A 

To verify the signature, every one who knows the group public key can check, 

f.Mi ^ ^ g<7 p-j _ 

If the equation holds true, the group signature (r, a) is valid. If a single 
combiner is replaced by a committee, then the committee performs a similar 
interaction (as performed by participants) in order to generate their signature 
on the message and to compute the group signature. 

Note that, although the Shamir scheme is susceptible to cheating, the partic- 
ipants cannot cheat the combiner by giving false shares because, the combiner 
can easily verify the correctness of shares of each participant and thus be able 
to detect any possible cheating. In fact, if participant Pj submits Sj as his share 
then the combiner can verify the correctness of Sj using 

/^ = n fff'x 

PiGA V e=i / 



(mod q). 
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5 Security Analysis 

The security of underlying cryptographic tools has been discussed in relevant 
papers. The security of the entire system will be considered in the final version 
of the paper. 

Note that, the major effort in our design (similar to the design of any other 
electronic schemes) is to satisfy the requirements imposed by a real-life system. 
One of the assumptions was the chair-person/combiner is unbiased and simply 
wants to get the decisions of the members on a motion. This is not the case 
in all real-life applications. There are situations in which a distrusted organiza- 
tion/government wants to get its members’/citizens’ vote in its favour. In such 
cases, the result of voting is questionable (since the combiner can swap “Yes” 
and “No” votes). A commonly used solution is to get the help of some arbiters, 
such as an international committee to control the voting procedure. 

In our scheme, even if the combiner is biased it cannot change the result of 
voting as long as the underlying signature scheme is unforgeable. However, the 
proposed scheme can be corrupted if the basic assumption in almost all secret 
sharing schemes -that considers an honest dealer distributes the shares of a secret 
key among all parties in the system- fails. Being more realistic, experiences have 
shown that having such a trusted authority in crucial and disputable situations 
is not an easy task. In order to avoid this problem, in the final version of this 
paper, we will consider the case where the dealer is removed from the system. 
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Abstract. In this paper, we describe how to construct an efficient and 
unconditionally secure verifiable threshold changeable scheme, in which 
any participants can verify whether the share given by the dealer is 
correct or not, in which the combiner can verify whether the pooled 
shares are correct or not, and in which the threshold can be updated 
plural times to the values determined in advance. An optimal threshold 
changeable scheme was defined and given by Martin et. ah, and an un- 
conditionally secure verifiable threshold scheme was given by Pedersen. 
Martin’s scheme is based on Blakley’s threshold scheme whereas Peder- 
sen’s is based on Shamir’s. Hence these two schemes cannot directly be 
combined. Then we first construct an almost optimal threshold change- 
able scheme based on Shamir’s, and after that using Pedersen’s scheme, 
construct a unconditionally secure verifiable threshold scheme in which 
the threshold can be updated plural times, say N times. Furthermore, 
our method can decrease the amount of information the dealer has to be 
publish, comparing with simply applying Pedersen’s scheme N times. 



1 Introduction 

In a secret sharing scheme, a secret is broken into several pieces so that certain 
subsets of those pieces can reconstruct the secret. In a protocol, a dealer has a 
secret, and breaks it into several pieces called shares. An entity given a share 
is called a participant, a shareholder or a member simply. In this paper, we 
adopt the term participant. The entity to gather shares and recover the secret, is 
called the combiner. Basically, a secret sharing is regarded as a strategy for some 
important data protection. On the other hand, it is useful also for multiparty 
computation, for example, electronic auction, electronic voting, and so on. 

As the most popular secret sharing schemes, we can see Shamir’s polynomial- 
based scheme and Blakley’s geometry-based scheme Eazni. In that 

scheme, a secret is broken into n pieces so that the secret can reconstruct with 
any t (< n) pieces, and not so that any (t — 1) pieces can determine the secret. 
Such a t is called the threshold of the scheme. Also we call such secret sharing 
schemes with the property given above (t,n) -threshold schemes. 

* Current affiliation of the first author: Alpha systems corporation. 



V. Varadharajan and Y. Mu (Eds.): ACISP2001, LNCS 2119, pp. 403-^^] 2001. 
(c) Springer-Verlag Berlin Heidelberg 2001 



404 Ayako Maeda, Atsuko Miyaji, and Mitsuru Tada 



There are some threshold schemes in which the threshold can be changed 
without reconstructing the system |1T'()9HI IMPSWOp) . In this paper, we gener- 
ically call such schemes threshold changeable schemes. In rrrrmiii and in the 
first part of |MPSW99j . after the initial setting, no secure channels is required, 
and the schemes before and after the threshold is changed are set to be perfect. 
However the required share size, precise to say the entropy of each share, has to 
be equal to or greater than the twice of that of the secret. Hence if we construct 
a scheme in which the threshold can be changed N times, the required share 
size is equal to or greater than {N + 1) times of that of the secret. On the other 
hand, in the latter part of |MPSW9??| . an optimal {t, n)-threshold scheme that is 
threshold changeable to (> t) is defined, and a concrete construction is actually 
given. (As described later, we write as a (t ^ t\ n)-threshold changeable scheme 
instead of writing as a (t, n)-threshold scheme that is threshold changeable to t'.) 
In that kind of a threshold changeable scheme, the scheme after the threshold 
change sacrifices the perfect security, but is an optimal (t — 1, t', n)-ramp scheme. 
Furthermore the scheme requires only the share size coinciding with the secret 
size. Even in changing the threshold N times, this scheme requires the same size 
share as the secret size. 

In Section^ we define a{t ^ t, n)-threshold changeable scheme, in which the 
threshold can be changed N(> 1) times, where t = (ti, 0) • ■ • j with t < tk 
for 1 < k < N . Note that in case = 1, that scheme has already been defined 
by [IM PSW9m . Each tk is the threshold after the threshold is changed k times. 
The optimal {t — > t', n)-threshold changeable scheme given by |lVIFSW9n| can 
easily be extended to be a (t ^ t, n)-threshold changeable scheme. 

In this paper, we discuss to make a (t ^ t, n)-threshold changeable scheme 
verifiable. By the technique by | |Ped92| . we can make a scheme non-interactive 
and unconditionally secure. The optimal {t t' , n)-threshold changeable scheme 
given by is unfortunately based on EEz3- Since Pedersen’s scheme 

is based on Shamir’s one jsnsni, it cannot directly be applied to that 
optimal {t — > t, n)-threshold changeable scheme. Then we first construct, based 
on EEaZg, an almost optimal {t t, n)-threshold changeable scheme. After 
that we contrive to make such a scheme verifiable so that the whole scheme 
required the dealer to publish much less information including the commitment 
than we simply construct a (t — *■ t, n)-threshold changeable scheme by combining 
a (t ^ fi, n)-threshold changeable, a (t ^ t 2 )-threshold changeable scheme, . . ., 
and a (t ^ tjv, n)-threshold changeable scheme, and apply, to the whole scheme, 
the technique by {N -k 1) times for the (t, n)-threshold scheme and for 

each (<fc, n)-threshold scheme (1 < fc < N). 

2 Preliminaries 

First of all, we review some definitions on secret sharing schemes after giving 
our notations. Let s be a secret belonging to a set S. The secret s is broken into 
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n shares si, . . . , s„. Let V = {Pi, . . . , P„} be the set of participants. We assume 
that each share Si is securely distributed to the i-th participant Pi . Let Pi denote 
also the set of possible shares for the participant Pi. Similarly, we denote, by A, 
the set of the shares the participants in ^ C P hold. We say that a set ^ C P 
of shares can recover the secret s if H{S\A) = 0, where H{*) denotes Shannon’s 
entropy function. Such an A is called an access set. The set consists of all access 
sets is called the access structure (of a secret sharing scheme). 

2.1 Threshold Scheme 

A secret sharing scheme which has n participants, and whose access structure 
is of the form {A C P | > t} for some t{< n), is called a (t,n) -threshold 

(secret sharing) scheme. In a (t, n)-threshold scheme, we, in general, have the 
following properties: H(S\A) = 0 if > t and H(S\A) > 0 otherwise. 

Definition 1. A (t, n)-threshold scheme is said to be perfect, if H(S\A) = H(S) 
holds for any set A C P such that < t. A perfect threshold scheme is said 
to be ideal, if H(Pi) = H{S) holds for any i (1 <i<n). 

We can easily see that Shamir’s scheme [SESI is perfect and ideal. The following 
theorem states that there exists the lower bound for the share size in a perfect 
threshold scheme. 

Theorem 2 (in [Stl95] L In a perfect (t, n)-threshold scheme, for any i (1 < 
i < n), H{Pi) > H{S) holds. 

2.2 Ramp Scheme 

As we can see in Theorem 0 in a perfect threshold scheme, there exists the lower 
bound for the share size. That means if Pf{Pi) < H(S) holds for some i, then 
the threshold scheme cannot be perfect. As a compromise between security and 
efficiency, a ramp scheme is introduced in [M PSWlI^ . 

Definition 3. A (t, n)-threshold scheme is said to be a (c,t,n)-ramp scheme if 
it satisfies the following properties: 

{ ff(SjA) = 0, if #A>t; 

0 < H(SIA) < If(S), if c<#A<t; 

H(S\A) = If(S), if #A<c. 

In a ramp scheme, each share size can be smaller than the secret size. However the 
smaller the share size gets, the more the information on the secret is disclosed. 

Definition 4. A (c, t, n)-ramp scheme is said to be optimal, if it has the prop- 

t — T 

erty that P[(S\A) = H(S) holds for any A C V such that = r and 

c < r < t. 
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It is shown by OHMl, that a (c, t, n)-ramp scheme with the property that 



H{Pi) = 



HjS) 
t — c 



holds for each i (1 < i < n) is optimal. 



2.3 Threshold Changeable Scheme 

In a secret sharing scheme, it often occurs that the access structure should to be 
changed before the secret is reconstructed. Furthermore the dealer may often be 
suspended after distributing shares. This is why we need a threshold scheme in 
which the threshold can be changed without any dealer assistance, and hereafter 
call such a scheme a threshold changeable scheme. 

Here in a threshold changeable scheme, the first (t, n)-threshold scheme is 
denoted by II, and the derived (F, n)-threshold scheme is denoted by II'. The 
whole scheme is denoted by {II, II') . 

As seen in Definition 0 given above, for a subset A G V, we denote the 
set of the images of respective elements by h* by H{A). That is, for A = 
{Pij , . . . , C 7^, we define 7f(yl) as follows: 

n{A) :=/iji(PiJ X h* 2 (P*J X ••• X 



Definition 5 (in [,MPSW99| ). We say that a perfect {t, ^(-threshold scheme is 
called threshold changeable to t' , if there exist known functions hi for 1 < i < n, 
such that H{S\H{A)) = 0 for any A > t' , and H{S\H{A)) > 0 for any 4fA < t' 
where A C V. (In this paper, we simply write as a perfect {t t' ,n)~ threshold 

changeable scheme instead of a perfect (t, n)-threshold scheme that is threshold 
changeable to t'.) 

In the definitions given above, each known function hi has to satisfy the property 
that for any Pi {I < i < n), H (Pi\hi{Pi)) > 0 holds not so that Si can uniquely 
figured out from s'. In this paper, we call each Si a full share (or share simply), 
and each hi(si) a subshare. 

Though ITT()99l presents an efficient way to derive IP from II both of which 
are perfect, in that scheme, the functions {hi\ do not satisfy the property given 
above. Hence when the threshold is changed, the corresponding secret also has 
to be simultaneously changed. Since we need to change not the secret but the 
threshold, we focus the methods given by |lVIFSW9n] . The method given by 
the first part of |MFSW9?1| presents a threshold changeable scheme in which 
both n and II' are perfect. But that method requires each share of a threshold 
changeable scheme to be quite large. Concrete to say, letting a and j3 denote 
the secret size and the share size, respectively, we have j3 > 2a holds in such 
a threshold changeable scheme. Hence as described in the following section, if 
we extend a threshold changeable scheme so that the threshold can be changed 
plural times, say N{> 2) times, then the required share size (3 is equal to or 
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greater than {N + 1) times of the secret size, i.e. [3 > {N + l)a. For efficiency of 
the whole scheme, we aim at a perfect threshold changeable scheme in which II 
is ideal as the latter part of jJVlFSWlin] even if the perfect security is lost. 

We can easily see that a perfect {t — > t', n)-threshold changeable scheme 
(7T, 7T'), in which II is a (t, n)-threshold scheme and II' is a (t', n)-threshold 
scheme, has the property that H{S\H{A)) = 0 if > t' and H{S\H{A)) = 
H{S) if #yl < t, since #A < t implies h[s) > H{S\H{A)) > H{S\A) = H{S). 

2.4 Efficiency Measure 

Let {n,n') be a perfect {t — > F, n)-threshold changeable scheme. Then the 
efficiency of such a scheme can be measured by the followings: 

(1) The maximum and average size of the share which needs to be stored by 
participants, and which is denoted by H{Pi) for 1 < i < n; 

(2) The amount of information which needs to be delivered for reconstruction of 

the secret at the pooling time, and denoted by lor A <ZP 

where ^A = t'\ 

(3) The size of shares after update of the threshold denoted by H{hi{Pi)) for 
1 < i < n. 

Theorem 6 (in IMPSW99] )- Let (7T, 7T') be a perfect (t — > F, n)-threshold 
changeable scheme using functions Then the followings hold: 

(1) H{Pi) > H{S) holds for each i (1 < i < n); 

(2) ^ AcV with if A = t'] 

(3) (hi{Pi))} > holds. 

Note that maxi<ii <n{H {hi' (Pi/))} = H{hi{Pi)) for each i {1 < i < n), if {hi} 
is common among the participants, and if all Pi’s come from the same domain 
with the same probability. 

Definition 7 (in [MPSW99J L We say that a perfect {t F, n)-threshold 
changeable scheme that is threshold changeable to t' is optimal, if each bound 
in Theorem 0 is met with equality. 

Corollary 8. If a perfect {t t', n)-threshold changeable scheme (77,77'), is 
optimal, then 77 is ideal and then 77' is an optimal {t — l,t',n)-ramp scheme. 

In addition to the definition given above, we define the slightly loose property 
of a threshold changeable scheme. 

Definition 9. Let (77, 77') be a perfect (t — > t', n)-threshold changeable scheme 
using functions Then the whole scheme is defined to be almost opti- 

mal if the following holds: 
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(1) H{Pi) = H{S) holds for each * (1 < * < n); 

(2) 0 < ~ ^ holds for every A C V with 

= t' and some ci > 0 independent of H{S) or n; 

(3) 0 < maxi<i<„{iJ(/ii(Pi))} — — — < C 2 holds for some C 2 > 0 
which does not depend upon H{S), t, t' or n. 

From the definition, we can immediately see that an optimal threshold change- 
able scheme is an almost optimal one in a special case ci = C 2 = 0. 

2.5 Verifiable Secret Sharing Scheme 

A verifiable secret sharing scheme enables each participant to check whether 
her share given by the dealer is indeed correct, or not, and also the combiner 
to check whether each pooled share is indeed correct, or not. A verifiable secret 
sharing scheme is applied as tools for secure multi-party computation and for key 
management. In this paper, we extend our proposed threshold changeable scheme 
to be verifiable using the method given by jPedh‘2j , since it provides unconditional 
security and non-interactivity among the dealer and the participants. 

3 Threshold Scheme with Af-time Threshold 
Changeability 

In this section, we first extend a perfect (t t', n)-threshold changeable scheme 
(7T, 7T') to a perfect {t t, n)-threshold changeable scheme (7T, TTi, . . . , i7iv), 
where t = (<i, . . . An) with t < for each k {1 < k < N) and with tk ^ tk' 
for k A k' . In such a scheme, without the dealer assistance, the threshold can 
be changed one after another, that is, from t to ti, from t\ to ^ 2 , and so oiO, 
under the assumption that the secret has not been recovered before the threshold 
is changed, and that no share has been pooled. We name each derived (tk,n)- 
threshold scheme TTfe. The dealer publishes a set of functions {hp^}i<fc<Ar so 
that the participants can compute their subshare for {ITfe}i<fe<Ar by themselves. 
For a participant Pi given a share Si, her subshare for Ilk is computed as {si). 

For a set C V, the set of their subshares for Ilk is denoted by that 

is, we define as follows: 

:= X X ... X 

where A= {Pi^, Pi^, ■ ■ ■ , Pi^}- Note that the thresholds {ti,. .. An) have to be 
determined in advance, since we assume that the dealer is suspended after the 
initial setting of the scheme. Formally, a (t — > t, n)-threshold changeable scheme 
is defined as follows. 

^ We may regard this kind of scheme as one in which the threshold can be changed to 
an arbitrary values among {ti,t 2 , . . . ,tiv} each of which is, in advance, determined. 
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Definition 10 . Let t be {ti, . . . ,tN) with tk > t for each k {1 < k < N). A 
(t t, n) -threshold changeable scheme is a (t, n)-threshold scheme, in which 
for 1 < i < n and 1 < fc < there exist known functions such that 
= 0 for any A > tk, and H > 0 for any =f^A < tk 

where A CP. 

The properties of “optimaF and “almost optimal”, can be defined also for a 
perfect {t t, n) -threshold changeable scheme. 

Definition 11. A perfect (<^t,n)-threshold changeable scheme (i7,7Ti,...,il7v) 
is said to be optimal (or almost optimal), if each threshold changeable scheme 
{n,IIk) (1 < fc < N) is optimal (or almost optimal, respectively), and if for 
distinct k and k' , Ilk and Ilk' are independent of each other, that is, if it holds 
that I{h['‘\Pi); \Pi)) = 0 for any k and k' with k k'. 

The equation I{h^^\Pi)-,h^^\Pi)) = 0 means that the subshare for Ilk gives 
no information on the subshare for Ilk' ■ In the following, we construct a perfect 
{t t, n)-threshold changeable scheme {II, IIi, ... ,11 m) based on | ^ha79| . in 

(k) 

which n is ideal. From now on, we omit the subscript of h\ ' and write as 
/iW, since in this paper, is common among the participants for each k 

{1 < k < N). By defining as in Section \'A.‘2l the following {t — > t,n)- 

threshold changeable scheme can be shown to be almost optimal. 

3.1 Construction of a Perfect Threshold Changeable Scheme with 
TV-time Threshold Changeability 

Let n be the number of participants. For simplicity, we assume that the thresh- 
olds t and t = (Ti, . . . , t^) with t < tk < n lor 1 < k < N , satisfy (2 <)t < ti < 
t 2 < ■ ■ ■ < tj\r n. Let g be a prime of the length L such that L is a multiple 
of lcm(ti — t 1, . . . ,tN — t 1). Note that the prime q satisfies q = 2^ — e 
with s < 2^~^. Then for the secret s G TZq, the dealer constructs a perfect 
(t t, n)-threshold scheme as follows: 

(i) First the dealer constructs Shamir’s (t, n)-threshold scheme for the secret 

s G 2Zq. That means, the dealer chooses a degree at most {t— 1) polynomial 
f{x) = ao^ix -I- • • ■ -I- G ^q[x] with /(O) = s. Each (full) 

share Si for Pi is defined to be f{i) (mod q). 

(ii) The dealer provides TV public function {h^'^^}i<k<N such that for all i and 

k, iJ(/iW(P,)|P,) = 0 and TL(Pi|TiW(Pi)) > 0,”(r< i < n, 1 < k < N). {A 
concrete example of the set is given the following subsection.) For 

each participant Pi, her subshare for the (T^, n)-threshold scheme Ilk, 
is defined by /i^*’^(si). 

(iii) To construct Pi from II, the dealer figures out the polynomial fi{x) for a 
(ti, n)-threshold scheme Pi using f{x). fi{x) is of the form: 

fi{x) = f{x) -b aytx* -b ayt+ia:‘+^ H b ai,t+„_ia:‘+"“\ 
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where each coefficient aij (t < j < t + n — 1) is found by the n equations 
fi{i) = (1 < * < n). Here we define as follows: 



Then if the polynomial ff{x) is open, the (secret) polynomial fi{x) can be 
disclosed by any ti subshares from 

(iv) For k {1 < k < N — 1), to construct ilfc+i from Ilk, the dealer figures out 
the polynomial fk+i{x) for Ilk+i using f%{x). fk+i{x) is of the form: 

fk+l{x) = ^ “t“ * * * “t“ Qk-\-l^tk+n—lX , 

where the n coefficients ak+ij (t/c < J < tk + n — 1) are found by the n 
equations fk+i{i) = (1 < i < n). Here we similarly define as 



(v) The dealer securely distributes each Si to Pi, and publishes N polynomi- 
als ff{x),..., ffi(x) and the N functions . . . , which derive the 
subshares from shares. 

If no threshold changing has happened, the combiner recovers the secret s by 
gathering any t (full) shares Si^ (1 < J < t) as well as in Shamir’s scheme. On 
the other hand, in case that the combiner attempts to recover the secret in the 
scheme Ilk {1 < k < N), she gathers any tk subshares (1 < i < tk)- Then 
the secret s can be figured out by the following formula which resembles so-called 
Lagrange polynomial interpolation: 



Note that in the scheme given above, ili is constructed using II, and each Ilk 
{2 < k < N) is constructed using Ilk-i - On the other hand, we can also construct 
(7T, TTi, . . . ,IIm) by the way that every Ilk {I < k < N) is constructed using 
n, not using the previous Ilk-i- Such a scheme is, however, less efficient in 
the viewpoint of the amount of information the dealer has to publish, than the 
scheme we have just constructed in this subsection. We show the detail in Section 



fl := f{x) + atx^ H h ^ 

/r ■■= hi.x) - fl{x). 



follows: 



fl+i{x) := fl{x) + ak+i,tkX**‘ + ■ ■ ■ + ak+iM+i-iX^’’*" ^ 
fk+ii^) := /fc+i(a;) - /fc+i(a;)- 




l<i<tk 

3 



3.2 Example of the Functions 

As far as we construct the scheme given in the previous subsection, we cannot 
make any (77, Ilk) (1 < ^ < N) exactly optimal. If we constructed the scheme on 
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afield 7Z^, with a prime q' and a being a multiple of lcm(ti— 1+1, . . . ,1^ — t+1), 
then we could make each (7T, Ilk) exactly optimal. But in that case, we cannot 
efficiently apply the technique by to that threshold changeable scheme. 

In a (t — > t, n)-threshold changeable scheme, if II is ideal, then the possible 
frequency N of threshold changing is restricted as the following proposition 
states: 

Proposition 12. In a (t ^ t, n)-threshold changeable scheme {II, TTi, . . . , i7jv), 
if n is ideal, and if the whole scheme is (almost) optimal, then the possible 
frequency N of the possible thresholds satisfy f + 1) < 1. 

Proof. Since II is ideal, we have the following: 

H{S) =H{Pi) > H{P^^^) + ---PH{P^^^^) 

for each i (1 < f < n), which is what we claim. I 

For example in case = t+1, t 2 = t+2 and ts = t+5, since J2k=i — f+1) = 
1, the correlation yields among {P^^} if the threshold is changed more than 
four times. Hereafter we implicitly assume that for the set of the thresholds 
. . . ,tN} and the number N of the threshold changing satisfy the statement 
of the previous proposition. 

Now we define the functions (1 < fc < N) as follows. Note that q is of 
the length L and that L is a multiple of lcm(ti — t + 1, . . . ,tN — t + 1). 

— For an element x G (x) is the substring of x from the first (rightmost) 

bit to the {L/{ti — t + l))-th bit. That is, for x G TZg, we define := 

X (mod 2^/(*i-‘+i)). 

— Define Tk to be — t + 1). For an element x G ZZg and fc (2 < 

k < N), h'^^\x) is the substring of x from the (1 + LTfe_i)-th bit to {LTk)~ 
th bit. That is, for x G 2Zg and k {2 < k < N), we define h^^\x) := 

'^^1 (mod 2^/(*^-*+i)). 

In the following, we show that the proposed {t — > t, n)-threshold changeable 
scheme using functions given above, is almost optimal. 

Proposition 13. The (t ^ t, n)-threshold changeable scheme (77, IIi, . . . ,IIn) 
in SectionIHl is almost optimal, if it uses the functions given above. 

Proof. We will prove that our scheme satisfies the conditions in Definition [HI 
that is, the conditions (1), (2) and (3) in Definition 0 and the condition that for 
k and k' with k ^ k' , Uk and Ilk' are independent of each other. 

The first condition (1) follows immediately from the fact that 77 is just 
Shamir’s scheme. 
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Next we show the third condition. Since we suppose that g is a prime such 
that q = 2^ — e with e < 2^“^, then we have the following: 

H{S) = log(2^ - e) > log(2^ - = L - 1. 



Furthermore from H{h^^\Pi)) < L/{tk — t + 1) for each k {1 < k < TV), we can 
get the following: 






H{S) ^ L 

tk — t+1 tfc — t+1 



L-1 
tk ~ t P ^ 



1 1 
< 

tfc — t “k 1 2 



Hence the third condition is satisfied. The second one is immediately obtained 
from the third one. 

Finally, the last condition that i.Pi)\ ^) = 0 for each fc, fc' with k yk k', 

comes from the fact that for any x G the strings and ^(x) are 

indeed disjoint. I 



4 Efficient VSS for {t — ^ t, n)-Threshold Changeable 
Scheme 

In this section, we make the {t t, n)-threshold scheme (7T, TTi, . . . , TT^v) veri- 
fiable. Denote, by 7T", the verifiable (f, n)-threshold scheme derived by making 
n verifiable. Also for each k {1 <k < N), denote, by III!, the verifiable {tk,n)~ 
threshold scheme derived by making 77^ verifiable. To provide the unconditional 
security and non-interactivity among the entities for verification, we adopt Ped- 
ersen’s technique E™|- Of course, by constructing 77 and Ilk’s independently 
and by applying that technique to 77 and each Ilk, we can accomplish our pur- 
pose, but here we contrive to make the amount of information the dealer has to 
publish, by applying to the very {t ^ t, n)-threshold changeable scheme 

given in the previous section. 

How to set up the parameters q, t, tk {1 < k < N), N and (1 < fc < N) 

is exactly the same as the previous section. In addition to those parameters, we 
let p be a prime such that q divides p — 1 and such that q^ < p holdt@, and let a 
and P be order-q elements in ^*. Those two bases a and /7 should be randomly 
picked up by the dealer, or should be chosen by some trusted third party, not 
so that log„ P may be known to any entities joining the scheme. Note that for 
s and u belonging to Zg, the dealer can find another pair (s', it') G TZg x 2Zg 
such that = o'* /3“ (mod p) if and only if she knows the discrete logarithm 
log„ P under the modulo p. 

In the following, we describe how to construct an almost optimal (t — *■ t,n)- 
threshold changeable scheme with verifiability. 

^ Usually we let p and 5 be a 1024-bit prime and a 160-bit prime, respectively. Hence 
this assumption tp < p restricts quite little for p and q. 
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(i) First the dealer constructs a perfect and verifiable {t, n)-threshold scheme 

n just like Einsa. That means for a secret s G Zg, the dealer randomly 
picks up a degree at most (t — 1) polynomial /(x) G ^q[x] such that 
/(O) = s, and also picks up a random u G 2Zg and a degree at most {t — 1) 
polynomial g{x) G ^q[x] such that g{0) = u. The full share for Pi is defined 
by /(*). Also Ui is defined by g{i) and called a twin share for Pi. Here let 
/(x) = s + aopx + . . . + and g{x) = u + bo^ix + . . . + 

The commitments Eq, Ei,. .. ,Et-i for (s,u), (oo,i, 6o,i), • ■ • , (oo,t-i, &o,t-i) 
are defined by Eq := E{s, u) and Ej := E{aoj, boj) (1 < j < t — 1), where 
for x,y G 2Zq, E{x,y) := (mod p). 

(ii) For each i and fc(l<z<n, l<fc< N), the dealer computes and 

defined by and h^^\ui), respectively. Each and each are 

called a subshare and a twin subshare, respectively. 

(iii) To construct IIi from 7T", the dealer figures out the polynomials /i(x) and 
5i(x) of the form: 

/l(x) = /(x) + OytX* H h ayt+„_iX*+”“^; 

gi{x) = g{x) + 6ytx* H h 6yt+„_ix‘+”“\ 

where the n coefficients oi.j and the n coefficients b\j {t < j < t + n — 1) 
are determined by the n equations /i(«) = and by the n equations 
gi{i) = respectively. Here we define as follows: 

/f (x) := /(x) + aytx* H h 

ffix) := /i(x) - /f(x). 

Similarly we define gf(x) := g{x) + &i,tX* H — • + bi^ti-ix*^~^ and gf(x) := 
gi{x) —gf(x). For each j (t < j < ti — 1), the commitment Ej for (aij, bij) 
is defined by E(aij,bij). 

(iv) For fc(l<fc<A^— 1), to construct from 77^, the dealer figures out 

the polynomials fk+i{x) and gk+i{x) using /|(x) and g%{x), respectively. 
fk+i{x) and gk+i{x) are of the form: 

/fe+i(x) = fl{x) + Ofc+yt.X*'' H h afe+i.t,+„_iX*'“+"-^ 

5fc+i(x) = gl{x) + H h 

where the n coefficients ak+ij and the n coefficients (tfc < 7 < 

tk + n — 1) are determined by the n equations fk+i{i) = and by the 

n equations gk+i{i) = respectively. Here we define as follows: 



fl+i(x) := f^{x) + ak+i,t^x*>^ + ■ ■ ■ + ak+iM+.,-iX*'’+^ i; 
fk+i(x) ■= fk+i{x) - fl^^{x). 
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Similarly we define gl+i(x) := g%{x) + + h bk+i,tk+i-ix*'"+^ ^ 

and 5fc+i(2;) := gk+i{x) - gl_^_J^{x). For each j {tk < j < ife+i - 1), the 
commitments Ej for {ak+i,j,bk+ij) are defined by E(ak+ij,bk+i,j)- 
(v) The dealer securely distributes each {si,Ui) to Pi, and publishes the 2n 
polynomials {fk(x)}i<k<N and {gl{x)}i<k<N, {h^’''^}i<k<N and the com- 
mitments {Ej}o<j<N- 

Each participant Pi given (si,Ui) can verify whether her share and twin share 
are correct, or not, by the following verification: 

t-i 

E{si,Ui) = Ef (mod p), 

3=0 

and also can, for each k {1 <k < N), verify whether each pair of her 

subshares and twin subshares is correct, or not, by the following verification: 

= n p^- 

3=0 

In recovering the secret, the combiner can similarly verify whether the full shares 
or the subshares she has gathered, are correct, or not, by the verification given 
above. 

5 Efficiency of the Proposed Scheme 

In this section, we estimate the efficiency of the proposed verifiable threshold 
changeable scheme with A^-time threshold changeability. For simple description, 
we name the various types of the schemes as follows: 

Scheme-I: A verifiable {t^t, n)-threshold changeable scheme (7Tb n ^, . . . , U'^) 
in which 7T and all Ilk (1 < ^ < N) are independently constructed by 
using Shamir’s method, and in which Pedersen’s technique is independently 
applied to 77 and each 77^. 

Scheme-II: A verifiable (7 ^t,n)-threshold changeable scheme (TT^TTf , . . . ,77J(f) 
in which each (7 ^ 7^, n)-threshold changeable scheme (77, Ilk) (1 < ^ < N) 
is independently constructed, and in which Pedersen’s technique is indepen- 
dently applied to each {II, Ilk). 

Scheme-Ill: The proposed verifiable (7 ^ t, n)-threshold changeable scheme 
(TT”, TTJ', . . . , 77](,) we have constructed in Section 0 

In the following, we show the efficiency for the dealer. Precisely, we, in Fig- 
ure 0 show the amount of information she has to securely distributed and the 
amount of information she has to publish, in Scheme-I, in Scheme-II and in 
Scheme-Ill, respectively. As seen in Figure ^ to be sure that Scheme-I is su- 
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Scheme 


By-SC 

{xH{S)) 


COP 

(x logg) 


Commitment 
(x logp) 


Security 


I 


2 {N + 1 ) 


0 


N 

k=i 


n : perfect (t,n)-TS 
Ilk ■ perfect {tk,n)-TS 


II 


2 


N 

2^(n— tfc + 1) 
k=i 


N 

t + — 1) 

k=l 


n : perfect {t, n)-TS 
Ilk : {t- l,tfc,n)-RS 


III 


2 


2 {nN + t — In) 


maxi<k<Ntk 


n : perfect {t, n)-TS 
Ilk ■■ {t- l,tk,n)-RS 



By-SC : The amount of information per one participant, which the dealer has to dis- 
tribute by some secure channel. 

COP : The amount of information of the coefficients of the open polynomials {f^{x)} 
and {g^{x)}, which the dealer has to publish to control the thresholds. 

Commitment : The amount of information of the commitments, which the dealer has 
to open for verification of the full shares and the subshare. 

Security : The security of the schemes II , lli, . . . , IIn as threshold schemes. The 
terms “TS” and “RS” stand for “threshold scheme” and “ramp scheme”, respec- 
tively. 



Fig. 1. Comparison of the efficiency of Scheme-I , II , III 



perior to the others in view of the security of each Ilk, but that scheme re- 
quires much more amount of information to be securely distributed. Since in 
Scheme-II and Scheme-Ill, such amount does not depend upon the number of 
the frequency of the threshold changing, we discuss Scheme-II and Scheme-Ill. 

Denote, by An and Am, the total amount of information the dealer has to 
publish in Scheme-II and in Scheme-Ill, respectively. 

Proposition 14. Suppose that t > 2 , tk > 2 {1 < k < N) and p,q are prime 
such that q\{p — 1 ) and such that q“^ < p. Then Am < An holds. That means 
Scheme-Ill is more efficient than Scheme-Ill in view of the amount of infor- 
mation the dealer has to publish. 

Proof. First note that we may let maxi<k<Ntk = tN without loss of generality. 
From the definition, we have 



^ii = “ 1) j ^ogp +2 -tk + 1)^ log q-. 



4I111 = tArlogp -I - 2 (niV -I- t log (7. 

Then we can get the following: 



All - Am = ^ (logp - log q^) 
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which is necessarily positive, since p > and t + J2k=i tk — N > 2N — N = 
N>0. I 

6 Conclusion 

Remember that a (t ^ t, n)-threshold changeable scheme simply constructed by 
an optimal {t, n)-threshold scheme that is threshold changeable to t' given by 
|MPSW9~^ . cannot be efficiently made verifiable by the technique jPedfi‘2] . Then 
in this paper, we have constructed a (t ^ t, n)-threshold changeable scheme 
(7T, TTi, . . . ,i7jv) based on Shamir’s threshold scheme. This is an almost opti- 
mal {t t, n)-threshold changeable scheme, and can be easily made a verifi- 
able (t — > t, n) -threshold changeable scheme with unconditional security and 
non-interactivity among the entity for verification. As seen in the primitive one 
(Scheme-I) in Figured the perfect security of each Uk (1 < fc < N) requires 
much more size full shares to be securely distributed. On the other hand, though 
in the proposed scheme (that is, Scheme-Ill), each scheme Uk (1 < fc < N) 
sacrifices the perfect security, the entropy of the full share does not depend upon 
the number of the frequency of the threshold changing. Furthermore we decrease 
the amount of information the dealer has to publish by constructing Uk using 
Ilk-i (1 < fc < N), where Uq := U. This difference is indicated by the inequality 
An — Am > 0 appearing Proposition^ in Section d 
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Abstract. In a {t, n) threshold digital signature scheme, t out of n sign- 
ers must co-operate to issue a signature. We present an efficient and ro- 
bust (t, n) threshold version of Schnorr’s signature scheme. We prove it to 
be as secure as Schnorr’s signature scheme, i.e., existentially unforgeable 
under adaptively chosen message attacks. The signature scheme is then 
incorporated into a (t, n) threshold scheme for implicit certificates. We 
prove the implicit certificate scheme to be as secure as the distributed 
Schnorr signature scheme. 



1 Introduction 

Threshold Cryptography. Threshold cryptography addresses the issue of 
performing cryptographic tasks such as signing, encrypting/decrypting etc. in a 
distributed way. For example, in a (t, n) threshold signature scheme, any set of t 
players can issue a signature for an arbitrary message while any set of less than 
t players cannot issue a signature at all (see |S| for a threshold DSS signature 
scheme). We refer to ^ 0 for a detailed survey of threshold cryptography. 

Certificates. Certificates provide a way to authenticate data, usually a public 
key. They can be realized using different techniques. 

Traditional certificates contain an identity string, the public key, and a signa- 
ture on these values. To issue a traditional certificate, a Certification Authority 
( CA) first verifies the authenticity of the public key and the identity string and 
then issues a digital signature on it. The certificate is therefore as secure as the 
signature scheme: Certificates cannot be forged because signatures cannot be 
forged. 



V. Varadharajan and Y. Mu (Eds.): ACISP2001, LNCS 2119, pp. 417-^2^ 2001. 
(c) Springer-Verlag Berlin Heidelberg 2001 
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Implicit certificates contain an identity string, but neither an explicit public 
key nor a signature. Instead, they contain public reconstruction data. The public 
key itself must be computed from the public reconstruction data and the public 
key of the CA who issued the certificate. The advantage of implicit certificates 
is their size: Besides the identity string, they only contain public reconstruction 
data, whereas traditional certificates contain a public key and a digital signa- 
ture. This is particularly useful in bandwidth constrained environments such 
as wireless communication and digital postmarks. A survey of various types of 
implicit certificates and applications is given in ca. 

In contrast to traditional certificates, where the security lies directly on the 
underlying signature scheme, there are special security issues concerning implicit 
certificates. In particular, any public reconstruction data and identity string 
together with a CA’s public key, would yield a public key. However, it should 
be hard to choose the public reconstruction data and compute the private key 
corresponding to the implied public key, without knowing the C/Ts private key. 
Another issue is that — since one usually uses a slightly modified signature 
scheme to issue a certificate — one has to make sure that no information about 
the CA’s or the user’s private key is leaked. 

Our Work. We first present a distributed Schnorr signature scheme and prove 
it to be as secure as the non distributed version, i.e., existentially unforgeable 
under adaptively chosen message attacks. Second, this scheme is incorporated 
into the construction of a distributed implicit certificate scheme. 

In all proofs, we assume the random oracle model as described in [Q. For all 
protocols we assume a synchronous communication model, where all players are 
connected via private channels and a global broadcast channel. 

Organization. Our digital signature threshold scheme is based on Pedersen’s 
Verifiable Secret Sharing scheme m and a multi-party protocol to generate 
a random shared secret [7]. These primitives are briefly discussed in Section 
0 In Section 0 we recall Schnorr’s signature scheme HHI. Then we propose in 
Section i]a (t, n) threshold version of this signature scheme. We prove the security 
of the scheme in Section 0 adapting the proof techniques used in ^D| . The 
non-distributed implicit certificate scheme is introduced in Section 0 The (t, n) 
threshold version of this scheme is presented in Section 0 and a security proof 
is presented in Section 0 

2 Secret Sharing Schemes 

2.1 Parameters 

We use elliptic curve notation for the discrete logarithm problem. Suppose q is 
a large prime and G, H are generators of a subgroup of order q of an elliptic 
curve E. We assume that E is chosen in such a way that the discrete logarithm 
problem in the subgroup generated by G is hard, so it is infeasible to compute 
the integer d such that G = dEl. 
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2.2 Shamir’s Secret Sharing Scheme 

In a (t,n) secret sharing scheme, a dealer distributes a secret s to n players 
Pi, ... ,Pn in such a way that any group of at least t players can reconstruct the 
secret s, while any group of less than t players do not get any information about 
s. In Shamir proposes a (t, n) threshold secret sharing scheme as follows. In 
order to distribute s G Zq among Pi, . . . ,P„ (where n < q), the dealer chooses 
a random polynomial /(•) over Zq of degree at most t — 1 satisfying /(O) = s. 
Each player Pi receives Si = f{i) as his share. 

There is one and only one polynomial of degree at most t — 1 satisfying 
f(i) = Si for t values of i. Therefore, an arbitrary group V of t participants can 
reconstruct the polynomial /(•) by Lagrange’s interpolation as follows: 



/(«) = 

iev 



where uji{u) = 






u-J 
i- 3 



mod q. 



Since it holds that s = /(O), the group V can reconstruct the secret as follows: 



s = f(0) = ^ , where uji = Wi(0) = ^ mod q. 

iGV ie-p ^ * 



Each LOi is non-zero and can be easily computed from public information. 
Note that the constant term of a polynomial of degree at most t — 1 is not 
defined through t — 1 equations of the form f(i) = Si. Furthermore, since the 
dealer chooses /(•) uniformly at random, every value for the constant term is 
equally probable. A coalition of t — 1 players can therefore neither compute the 
secret nor get any information about it. 



2.3 Verifiable Secret Sharing Scheme 

A Verifiable Secret Sharing scheme (VSS) prevents the dealer from cheating. In a 
VSS scheme, each player can verify his share. If the dealer distributes inconsistent 
shares, he will be detected. Pedersen presented a VSS scheme in HH which we 
will use in this paper. His scheme is as follows. 

Assume the dealer has a secret s G Zq and a random number s' G Zq, and 
is committed to the pair (s, s') through public information Cq = sG-l- s'H. The 
secret s can be shared among Pi, . . . , P„ as follows. 

The dealer performs the following steps 

1. Choose random polynomials 

f{u) = s + fiu-\ h ft-iu*~^ and f'{u) = s' + f[u-\ h 

where s,s',fk,f'k G Zq for k G {I, . . . ,t - 1}. Compute (si,s') = {f{i),f'{i)) 
for i G {1, . . . , n}. 

2. Send {st, s') secretly to player Pi for i G {1, . . . , n}. 

3. Broadcast the values Ck = fkG + f'/^H for k G {1, . . . , t — 1}. 
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Each player Pi performs the following steps 

1. Verify that 

t-i 

+ = (1) 
k=0 

If this is false, broadcast a complaint against the dealer. 

2. For each complaint from a player i, the dealer defends himself by broadcast- 
ing the values f{i),f'{i) that satisfy (|3- 

3. Reject the dealer if 

— he received at least t complaints in stepQ], or 

— he answered to a complaint in step El with values that violate 0. 

Pedersen proved that any coalition of less than t players cannot get any infor- 
mation about the shared secret, provided that the discrete logarithm problem 
in E is hard. 

2.4 Generating a Random Secret 

For the key generation phase of our scheme, it is necessary to generate a random 
shared secret in a distributed way. The early protocol proposed by Feldman jSj 
has been shown to have a security flaw, and a secure protocol has been proposed 
in [Zj, which we will use for our schemes. We recall it in the following. 

Suppose a trusted dealer chooses r,r' at random, broadcasts Y = rG and 
then shares r among the players Pi using Pedersen’s VSS scheme. We would like 
to achieve this situation without a trusted dealer. This can be achieved by the 
following protocol. 

Each player Pi performs the following steps 

1 . Each player Pi chooses , r' G Zq at random and verifiably secret shares 

{ri,r'i), acting as the dealer according to Pedersen’s VSS scheme. Let the 
sharing polynomials be fi{u) = /i(^) = where 

Oio = ri,a'iQ = r', and let the public commitments be Cik = atkG+ a[j^E[ for 
fc G {0, . . . , t — 1}. 

2. Let iLo be the index set of players not detected to be cheating at step Q] 

The distributed secret value r is not explicitly computed by any player, 
but it equals r = D- Each player Pi sets his share of the secret as 

3. Extracting Y = J2jeHo E^'Ch player in iLg exposes Fj = SiG via Feld- 
man’s scheme: 

(a) Each player Pi for i G PIq broadcasts Aik = UikG for k G {0, . . . , t — 1}. 

(b) Each player Pj verifies the values broadcast by the other players in Hq. 
In particular, every player Pi for i G Hq, Pj checks if 

t-i 
k^O 



( 2 ) 
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If the check fails for an index i, Pj complains against Pi by broadcasting 
the values fi{j),f'i(j) that satisfy (Pi but do not satisfy (P. 

(c) For players Pi who received at least one valid complaint, i.e., values 
which satisfy (P but do not satisfy (P, the other players run the recon- 
struction phase of Pedersen’s VSS scheme to compute ri, fi{-),Aik for 
fc = 0,...,t— lin the cleaiQ. All players in set fy = rtG. 

After executing this protocol, the following equations hold: 



Y = rG 

f{u) = r + aiu -b • • • -b where au = ajk for k G {1, . . . , t — 1} 

/(j) = Sj for J G Ho. 

In P this scheme has been proven to be robust under the assumption that 
t < f , i-e., if less than t players are corrupted, the values computed by the 
honest players satisfy the above equations. 

For convenience, we introduce the following notation for this protocol: 

(si,...,s„) {r\Y,akG,Ho), fee 1}. 

This notation means that Sj is player Pj’s share of the secret r for each j G Hq. 
The values a^G are the public commitments of the sharing polynomial /(•) (they 
can be computed using public information), and (r, Y) forms a key pair, i.e., r is 
a private key and Y is the corresponding public key. The set Hq denotes the set of 
players that have not been detected to be cheating. In the further protocols, we 
do not need the values Yj ,Cjk, s'j,r' for j G Ho,k G {0, . . . , t — 1} and therefore 
we omit these values in the short notation. 

3 Schnorr’s Signature Scheme 

In Schnorr introduced the following signature scheme. Let (x, Y) be a user’s 
key pair, let m be a message, let h(-) be a one-way hash function, and let G be a 
generator of an elliptic curve group having prime order q. Then a user generates 
a Schnorr signature on the message m as follows. 

1. Select e G Zg at random 

2. Compute V = eG 

3. Compute ct = e -b h{m\\V)x mod q 

4. Define the signature on m to be (V, tr) 

A verifier accepts a signature (fy u) on a message m if and only a G Zg and 

ctG = V + h{m\\V)Y. 

Every player in Hq simply reveals his share of r^. Each player can then compute Vi 
by choosing t shares that satisfy (P). 



1 
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In m, Schnorr signatures were shown to be existentially unforgeable under 
adaptively chosen message attacks in the random oracle model, using the fork- 
ing lemma, provided that the discrete logarithm problem is hard in the group 
generated by G. 

4 A {t, n) Threshold Signature Scheme 

In this section, we propose a robust and efficient {t, n) threshold digital signature 
scheme for Schnorr signatures. We use the primitives presented in Section |21 
Our protocol consists of a key generation protocol and a signature issuing 
protocol. Let Pi , . . . , be the set of players issuing a signature and let G be a 
generator of an elliptic curve group of order q. 

4.1 Key Generation Protocol 

All n players have to co-operate to generate a public key, and a secret key share 
for each Pj. They generate a random shared secret according to the protocol 
presented in Section El Let the output of the protocol be 



For each j G Hq, aj is the secret key share of Pj and will be used to issue a 
partial signature for the key pair (x,Y). 

4.2 Signature Issuing Protocol 

Let m be a message and let h{-) be a one-way hash function. Suppose that 
the players with index set Pli C Pg wants to issue a signature. They use the 
following protocol: 

1. If |Pi| < t, stop. Otherwise, the subset Pi generates a random shared secret 
as described in Section El Let the output be 



(ai,...,a„) (a:|F, 6fcG,Pg), fc G {1, . . . , t - I}. 



(/3i,...,/3„) M (e|y,CfcG,P2), fcG {I,...,t-I}. 



2. If IP 2 I < t, stop. Otherwise, each Pi for i G P 2 reveals 

ji = Pi + h{m\\V)ai. 



3. Each Pi for i G P 2 verifies that 




( 3 ) 



Let P 3 be the index set of players not detected to be cheating at step 3. 
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4 . If jiJal < t, then stop. Otherwise, each Pi for i G H3 selects an arbitrary 
subset H4 C H3 with |i?4| = t and computes a satisfying a = e + h{m\\V)x, 
where 



The signature is (ct, V). The signature can be verified as in Schnorr’s original 
scheme: 



Remarks. 

1 . The scheme can easily be modified such that a trusted combiner calculates 
the signature, instead of the players. The y^’s would be sent secretly to 
the trusted combiner, who proceeds with the verification and the signature 
generation. In such a scenario, the players would not be able to generate a 
signature without the combiner. 

2 . The only property required by the underlying secret sharing scheme is that 
it must be homomorphic. This signature scheme could therefore be gener- 
alized to non-threshold access structures by a suitable linear general access 
structure secret sharing scheme as for example im 

4.3 Correctness 

We have to show that the signature a computed in Step 4 is the Schnorr signature 
on m, i.e., a = e + h{m\\V)x mod q. Let Fi(-) be the sharing polynomial of the 
key generation protocol {at = Fi{i) for i G Hq), and let F2{-) be the sharing 
polynomial implied by the generated random shared secret in Step 1 (/ 3 i = F2{i) 
for i G FIi). Furthermore, let F3(-) := F2(-) + h{m\\V)Fi{-). Since 7^ = F^li) 
for i G R3, it follows from Lagrange’s interpolation formula that the players 
compute cr = ^3(0). We can now argue as follows: 



4.4 Robustness 

We have to show that if less than t players are corrupted, the scheme always 
produces a valid signature. We assume that t < f . 

From the robustness property of the protocol to generate a random shared 
secret it follows that every honest player Pi computes correct values ai,/3i,7i. 
Because there are at least t honest players, and because they can identify the 
correct % by verifying OSJ, it follows directly by the correctness property that 
the honest players will always compute a valid certificate. 




leHi 



aG = V + h{m\\V)Y and a G Zq. 



a = ^3(0) = ^2(0) -I- h{m\\V)Fi{ 0 ) = e + h{m\\V)x. 
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5 Security 

5.1 Notion of Security 

In this section, we show that the proposed {t, n) threshold signature scheme 
is as secure as Schnorr’s signature scheme, i.e., existentially unforgeable under 
adaptively chosen message attacks in the random oracle model. 

We define an adaptively chosen message attack against our (t, n) threshold 
scheme as follows. An adversary AoistSchnorr is allowed to have the signature 
issuing protocol executed by any t or more signers to compute signatures on 
messages of his own choice. She also might corrupt up to t — 1 arbitrary players. 
A DistSchnorr then ti'ies to forge a new signature from the signatures she obtained 
in this way and from her view, where the view is everything that AoistSchnorr 
sees in executing the key generation protocol and the signature issuing protocol. 

Let ANormSchnorr be a successful adversary that can break (in the sense of 
an existential forgery under adaptively chosen message attack) Schnorr’s scheme 
(denoted by DpformSchnorr), and let AuistSchnorr be a successful adversary that 
can break the distributed Schnorr scheme (denoted by DjjistSchnorr) presented 
in this paper. To proof the security of our scheme, we will show that given 
ANormSchnorr, One Can construct an adversary AuistSchnorr , and visa versa. This 

implies that D DistSchnorr 1 ® aS SeCUre as D NormSchnorr 1 ®- 

The idea of how to construct ANormSchnorr given the adversary AuistSchnorr , 
a public key Y and a signing oracle goes as follows. ANormSchnorr simulates the 
roles of the uncorrupted players during all stages of DuistSchnorr, he., from the 
key generation protocol that outputs Y up to the signature issuing protocols for 
AoistSchnorr’s choscn messagc attack, and lets them interact with AoistSchnorr 
(see Section FT!1 . Because AoistSchnorr cannot distinguish her view during this 
simulation from her view during a real run of D DistSchnorr, she will succeed and 
output a valid forgery, and therefore so will ANormSchnorr- Indistinguishability 
is used in the sense of the traditional notion of polynomial indistinguishability 
of two probability distributions as specified in jn|. 

The next section explains precisely what a view is. We also explain how to 
build a simulator SIM that simulates the honest players during the generation 
of a distributed random shared secret such that it produces for an arbitrary but 
given public key Y a view that is indistinguishable for the adversary from a view 
during a real run of the protocol which outputs Y. This simulator is then used 
later as a subroutine of a simulator that computes the adversary’s entire view 
of our threshold signature scheme. 

5.2 View 

During an arbitrary multi-party protocol, a player will choose values on his own, 
see public broadcast values and receive private values. We define his view of the 
protocol to consist of all these values. Notice that in order to simulate the view 
for a player one does not have to simulate the values which the player chooses 
on his own. 
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In the following, we will analyze the adversary’s view during the generation of 
a random shared secret. In particular, the goal is to build a simulator SIM that 
succeeds in the following game. Let B be the index set of corrupted players. The 
corrupted players Pi for i G B first run the protocol with honest players such that 
the public value of the random shared secret outputs a random value Y. Now we 
run the protocol again, but instead of communicating with the honest players, 
the players Pi for i G B communicate with the simulator. This simulator will now 
produce messages exactly as the honest players do, such that the public value of 
the random shared secret is Y, and furthermore, the adversary controlling players 
Pi for i G B cannot distinguish this simulated view from the view resulting from 
the honest players. 

When generating a distributed random shared secret, as explained in Section 
E31 the view of a player Pi would be the following: 



the sharing polynomials 
the temporary shares 
the public commitments 
answers on a valid complaint against Pi 



for j G Ho, 

Cjk,Ajk for j G Ho, kG 1}, 

for j & Ho, 



and the content of his random tape. If an adversary corrupts Pi and Pj, then 
the adversary’s view is {view of Pi} U {view of Pj}. 

Definition 1. Suppose that a set Hq of players compute a random shared secret 
on input {q, G) and produce output Y . Let A be an adversary that corrupts up to 
t—1 players. Let view{A, G, q, Y) denote the view of the adversary for this proto- 
col. Let VIEW{A,G,q,Y) be the random variable induced by view{A,G,q,Yj^ 



Lemma 1. For any probabilistic polynomial time adversary A there exists a 
probabilistic polynomial time simulator SIM that can compute a random variable 
SIM{G,q,Y) which has the same probability distribution as VIEW{A,G,q,Y). 

Proof of Lemma ^ Assume that A corrupts players Pi for i G B = {1, . . . ,t — 
1}. Furthermore, let B' be the index set that denotes the players who publish in- 
consistent values Aik. Then, view {A, G, q, Y), when generating a random shared 
secret, is as follows: 

1. The content of the random tape of A 

2. /,(■),/'(•) for 

3- /j(*),/j(*) for j G Ho,iG B 

4. Cjk for j G Ho,kG {0,...,t-l} 

5. Ajk for j G Ho, k G {0, ... ,t- 1} 

6- Mj)J'iU) for j ^ Ho,iG B' 

^ view{.) contains random variables and static values. VIEW{.) can be regarded as 
the interpretation of view{.) as one large bit string, so it is a random variable. 
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We show how to construct a simulator SIM that can act in the protocol as the 
honest players, such that the resulting view has the same probability distribution 
(we use the same simulator as in 0). Note that SIM does not have to compute 
the sharing polynomials 0 itself since they are chosen by the adversary. The 
same holds for the content of the random tape du which is part of the adversary’s 
internal state that does not have to be simulated. 

1 . (El EJ Perform step[Dof the protocol on behalf of the honest players Pt, . . . ,Pn 

exactly as specified in the protocol. This includes receiving and processing 
the information sent privately and publicly from corrupted players to honest 
ones. After this step, SIM knows all polynomials for i G Hq- In 

particular, SIM knows all the shares /i(j), //(j), the coefficients aik,hik and 
the public values Cit for i,j G Hq and /c G {0, ...,<— 1}. 

2. (E) When extracting the values r^G, the simulator acts as follows: 

— Compute Aik = ciikG for i G Ho \ {n}, fc G {0, . . . , t — 1} 

- Compute A„o = P - J2ieHo\{n} 

- Compute Ank = AfeoA„o + Si=i ^kifn{i)G for fc G {1, . . . , t - 1}, where 
Xki’s are the Lagrange interpolation coefficients of the set Hq. 

— Broadcast Aik ior i G Ho,k G {0, . . . , t — 1} 

3. (0 To handle the messages resulting from complaints, SIM acts as follows: 

— For each honest player, verify the values Aik for i G B hy checking 
(0. If the verification fails for some i G B,j G Hq \ B, broadcast a 
complaint fi{j),f'i{j)- Notice that the corrupted players can publish a 
valid complaint only against one another, and there will be no complaints 
against an honest player that is simulated by SIM. 

— For each valid complaint against Pi, perform the reconstruction phase of 
Pedersen’s VSS scheme to compute and Yi in the clear. 

After step0 the polynomials /i(-)> /((’) ioi i G Hq\B are chosen at random. All 
associated values Gik, fi{j), fi(j),aik,bik therefore have the exact same proba- 
bility distribution as in a real run of the protocol. 

The broadcasted values Aik are all uniformly random since the corresponding 
aik are random. This holds also for the specially computed A„k for k G {0, . . . ,t— 
1}, since for each such coefficient there is at least one random value it depends on. 
Notice that the fact that these Ank’s are not consistent with the corresponding 
a„fe’s does not appear in the adversary’s view: She never sees the ank’s but only 
the consistent public commitments of these values. 

During the handling of complaints (step|3) there can only be valid complaints 
against a corrupted server. To reconstruct r^, SIM has to reveal the values 
fi{j),fi(j) for j G Hq\B. But SIM knows all the polynomials /i (•)://(’) for 
i G Hq\B. Therefore, SIM has only to broadcast these values, which will always 
be consistent with the adversary’s view. 

A more detailed analysis of the distribution can be found in 0 ■ The computed 
view, and the induced random variable SIM (A, G, q, Y) has the same probability 
distribution as F/AIF(A,G,g,y). □ 
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5.3 Unforgeability 

In this section, we will show how to reduce the distributed Schnorr signature 
scheme to the regular Schnorr signature scheme, and visa versa. This implies 
that the security of the two schemes is identical. 

Definition 2. Let AfformSchnorr be a probabilistic polynomial time adversary 
who can ask a signer for valid signatures. By ApformSchnorriG,q,Y) we denote 
a random variable which specifies the probability of the event that AMormSchnorr 
queries (wi, m 2 , . . . ) to the signer and outputs {m,a,V) {on input {G,q,Y)). 
The probability is taken over all the coin tosses of AMormSchnorr o,nd the signer. 



Definition 3. Let AoistSchnorr be a probabilistic polynomial time adversary who 
can corrupt up to t—1 players. He also may have t or more arbitrary signers issue 
a signature upon his request. By AoistSchnorriG, q\Y^ we denote the random 
variable that has the probability distribution of AoistSchnorr asking for signatures 
on (mi, m2,...) (on input {G,q)) and finally computing {ifi,5-,V) under the 
condition that the key generation protocol outputs Y. The probability is taken 
over all the coin tosses of AjjistSchnorr and the signers. 



Theorem 1. For any adversary ApformSchnorr against Dj^ormSchnorr, there ex- 
%sts an adversary ^^joistSchnow agaznst Li DistSchnow such that 

Pr^AjoistSchnorr {G ^ q\Y^ — (mi , . . . , (m, d , U))] 

— Ur[.Ai\roTmS’c/morr {G , Q, T) — (mi , . . . , (m, d , U))] . 

Proof. We show how to construct AoistSchnorr given ApjormSchnorr- Suppose the 
key generation protocol of DotstSchnorr generates Y. AotstSchnorr feeds {G,q,Y) 
and the content of the random tape of ApformSchnorr into A^ormSchnorr and starts 
ANormSchnorr- Whenever ApformSchnorr asks for a signature on a message m, 
A DistSchnorr has some t signers execute the signature issuing protocol for m and 
returns the signature (cr, V) to ANormSchnorr - Thus, ANormSchnorr Can perform his 
chosen message attack. AjjistSchnorr outputs {rh,a,V) if ANormSchnorr outputs 
(m,d, U). □ 

Theorem 2. For any adversary AjjistSchnorr against D DistSchnorr, there exists 
an adversary ANormSchnorr against DNormSchnorr such that 

Pr{ANormSchnorr{G ., q, T) = (mi, . . . , (m, d , U))] 

— Pr {A DistSchnorr {G , T) — (mi , . . . , (m, d, U))] . 

® ADistSchnorr(G,qlY) is different from AoistSchnorr{G,q,Y). It contains not only the 
values G,q,Y, but also AoistSchnorr’s view from the key generation protocol. For 
ANormSchnorr this view is empty, while for AoistSchnorr this is not the case (since he 
can corrupt t — 1 signers) 
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Proof. We show how to construct ApformSchnorr given AoistSchnor-r ■ In partic- 
ular, we will show how AMormSchnorr Can simulate — with the help of a signing 
oracle (used in the chosen message attack assumption) — the role of the honest 
players in DotstSchnorr for a given public key Y. Because AoistSchnorr cannot 
distinguish this simulation, it will be successful and output a forgery which is a 
forgery in DMormSchnorr, too. 

Let B be the index set of players corrupted by A oistSchnorr ■ Using the simula- 
tor described in Section 15.21 ApformSchnorr lets SIM execute the key generation 
protocol for the given public key Y. Note that AfformSchnorr knows after this 
simulation the values at for i G B. Next, ApformSchnorr runs ADistSchnorr ■ When- 
ever AuistSchnorr requests a signature for a message mi, AfformSchnorr asks a 
signer and provides AoistSchnovr with the signature (mi,cTi,U). ANormSchnorr 
also has to provide AoistSchnorr with the values she sees during the signature 
issuing protocol. These values include the view resulting from generating the 
random shared secret e and the values 7 ^ for i G H 2 \ B. To compute these 
values, ApformSchnorr Icts SIM interact with AuistSchnorr during the generation 
of the random shared secret e. After this simulation AfformSchnorr knows /3i for 
i G B and can compute % for i G B. Finally, Aj,jormSchnorr computes for 
j G H 2 \B as follows. W.l.o.g. we assume that B n H 2 = t— 1. Then we have for 
every j G H 2 \B (see Section 



<7i= ^ where uJk 

fceBuD} 



n 

l^k 

ieBu{j} 



Hence, is computed as 



_ 'Yhk&B 

■ -J 

-^NorraSchnorr feeds for J G H 2 \ S tO ■ SinCC -^DistSchnorr 

now has her whole view, she can perform her adaptive chosen message attack. 
■^NormSchnorr outputs {rh, a, V) if AotstSchnorr outputs {m, a, V). □ 



6 The Implicit Certificate Scheme 

To motivate the (t, n) threshold scheme for implicit certificates, we give a short 
overview of the non-distributed version of this scheme. In PJ, security proofs for 
this scheme in the random oracle model are given. 

Assume a CA with the key pair (x, Y) issues an implicit certificate to a 
user, and let h(-) be a one-way hash function. The operation of the scheme is as 
follows. 

1. The user generates a random integer c G Zq and computes V = cG. Further, 
he sends V to the CA. 
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2. The CA authenticates the user. Together, the CA and the user determine 
an identifier string (containing the user’s identity and other information 
such as, for example, a serial number for the certificate). 

3. The CA chooses a random integer e € and computes C = V + eG and 
cr = e + h{Iu\\C)x. Further, the CA sends {Iu,C,a) to the user. 

4. The user computes his private key SKu = c + s mod q, and verifies the 
certificate by checking that following equation holds: SK^ = C+ h{Iu\\C)Y. 

The user’s public key can be computed from the certificate {Iu,C) as follows: 
PKu = C + h{Iu\\C)Y. Note that the equation used to compute a is exactly 
Schnorr’s signing equation. The only difference from Schnorr’s signature scheme 
is the construction of the point C. Here, this point contains an additive compo- 
nent that the user provides. This is necessary to guarantee that only the user 
knows his secret key. 

7 (t, n) Threshold Scheme for Implicit Certificates 

In this section, we incorporate the distributed Schnorr signature scheme into a 
(t, n) threshold scheme for implicit certificates in the same way as was done in 
Section 13 In such a scheme, n players Pi, . . . , represent a CA with public key 
PisTo- A group of t players together can reconstruct SKq and issue an implicit 
certificate. Any coalition of less than t players do not have any information about 
SKo. 

Our scheme consists of three steps. First, the players representing the CA 
have to generate a key pair. Everybody will know the value of PKq, while only 
a coalition of at least t players shall be able to recover SKq or issue certificates. 
Second, the players issue a certificate to a user. Finally, the user verifies if the 
certificate is valid. 



7.1 Key Generation Protocol 

We would like to generate a random shared secret SKq such that each player Pi 
who follows the protocol holds a share Si in this key. Moreover, a coalition of 
less than t players cannot get any information about SKq. 

This situation corresponds exactly to the generation of a shared secret, as de- 
scribed in Section l7yH Using the notation introduced in Section im the situation 
is as follows: 



(ai,...,a„) {SKo\PKo,bkG,Ho), fee {!,..., t- 1}. 

7.2 Certificate Issuing Protocol and Public Key Reconstruction 

Suppose the players with index set Hi C Hq want to issue an implicit certificate. 
1. The user selects a random number Cu and sends Vu = CuG to the players. 
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2. If \Hi\ < t, stop. Otherwise, Hi generates a random shared secret as shown 
in Section E3 Let the public output be 

3. If \H 2 \ < t, stop. Otherwise, each Pi for i € H 2 computes C = V + Vu and 
reveals 



li = Pi + h{Iu\\C)ai. 



( 4 ) 



4. Each Pi for i € H 2 verifies that 



t-i 



IjG^V P^Ck3^Gph{Iu\\C) 






/ t-i 

\ k=l 



G I for all j G H 2 - (5) 



Let H 3 be the index set of players not detected to be cheating at step 3. 

5. If liLsI < t stop. Otherwise, each Pi for i G H 3 selects an arbitrary set 
H 4 C H 3 with |iJ 4 | = t and computes a satisfying cr = e + h{Iu\\C)x by 

<j= ^3 = n j~- 

leHi 

The implicit certificate is (cr, C), which every player sends to the user. 

6. At most t — 1 of the certificates the user receives may be incorrect. To 
identify the correct certificates, the user computes his private key SKu as 
SKu = Cu + O' and verifies 

SKuG = G+h{mC)Y undo G Zg. (7) 

The public key of the user can be computed from the implicit certificate as 
follows: 



oPK^ = C + h{h\\G)Y. 



( 8 ) 



7.3 Correctness 

We have to verify that the private key SKu computed by the user corresponds 
to the public key PKu implied by the implicit certificate, i.e., we have to verify 
that following holds: 



SKuG = C + h{Iu\\G)PKo 



(9) 
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Let 7^ (|7^| = t) be a group of players which have not been detected to be cheating 
when issuing the certificate. Then we have 



7.4 Robustness 

We have to show that if less than t players are corrupted, the scheme always 
produces a valid certificate that is accepted by the user. We assume that t f . 

From the robustness property of the protocol to generate a random shared 
secret it follows that every honest player Pi computes correct values ai,l3i,ji. 
Because there are at least t honest players, and because they can identify the 
correct 7 i by verifying o, it follows directly by the correctness property that 
the honest players will always compute a valid certificate. Finally, the user can 
identify a valid certificate by verifying ( 171 ) . 

8 Security Analysis 

8.1 Notion of Security 

Let {SK cA, PK ca) be the key pair of the CA. An implicit certificate scheme is 
secure if the following two properties hold: 

unforgeability It is hard for an adversary who does not know the CA’s secret 
key to forge implicit certificates in such a manner that the adversary knows 
the corresponding private key 

non-impersonating It is hard for the CA to obtain the user’s private key 
provided that the user followed the protocol. 

The term “hard” means that there is no polynomial-time adversary who can 
solve the task with non-negligible probability. These conditions must hold for 
adversaries defined as follows. 

We define a forging adversary as a probabilistic, polynomial-time Turing 
machine which, on input PK ca does the following: 

— It may watch other entities requesting and receiving implicit certificates from 
the CA. 

— It may request implicit certificates from the CA. 





— Vu + + aiU>ih{Iu\\C)G) 



= Vu + V+h(I^\\C)PKii 
= C + h{I^\\C)PKo. 
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— Finally, it produces an implicit certificate and the corresponding private key 
in time t and with probability p. 

We define an impersonating adversary Ai as a probabilistic, polynomial-time 
Turing machine which, on input {PK ca, SK ca) does the following: 

— It may act as a CA and issue implicit certificates to requesting entities. 

— It can produce an implicit certificate and the corresponding private key in 
time t and with probability p. 

An adversary Af (respectively, Ai) is successful if t is polynomial and p is non- 
negligible. 

8.2 Unforgeability 

Let {x,Y) be the {SK,PK) key pair of the CA. Let DNormSchnorr denote 
Schnorr’s signature scheme and A^ormSchnorr be a successful adversary against 
it as defined earlier in Section EU We define a successful adversary AoistCert 
against the implicit certificate scheme DoistCert as a successful forging adversary 
as defined in Section O 

One can show that a successful adversary ApformSchnorr is equivalent to a 
successful adversary AoistCert, in the sense that each of them can construct 
the other one. This implies that the distributed implicit certificate scheme is as 
secure as Schnorr’s signature scheme. 

The same proof technique as was used for the distributed Schnorr signature 
scheme can be applied in a straightforward way. That is, one can show how to 
simulate the view of the given adversary without knowing the private key of the 
players. Since the adversary cannot distinguish a simulated view from an actual 
view, she will perform her attack and output a forgery. This forgery can then be 
used to construct the other adversary. 

8.3 Non-impersonating 

By proving the unforgeability of our scheme, we implicitly proved that the user 
does not learn the players’ private key shares. We also have to show that the 
players do not learn the user’s private key and impersonate the user. But it 
follows directly from the scheme that if the players could compute the user’s 
private key, then they could compute discrete logarithms. 

8.4 Further Issues 

Consider the scenario where a digital signature on a certain message and an 
implicit certificate authenticating the according verification key are sent to a 
user. Even though we proved that it is hard to forge an implicit certificate 
without knowing the CA’s secret key such that one knows the corresponding 
private key, we did not prove that it is hard to forge a digital signature and 
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an implicit certificate such that the public key implied by the certificate just 
validates the signature. 

This is not an issue with traditional certificates. However, whenever implicit 
certificates are used to authenticate a public key for some application, a specific 
security proof for the particular application is necessary. For example, in |2|, 
a proof is given in the random oracle model that it is secure to use implicit 
certificates as authentication for public keys that verify Schnorr signatures. 

9 Conclusion 

We have presented a (t, n) threshold version of Schnorr’s signature scheme, and a 
(t, n) threshold scheme for implicit certificates. Both schemes are efficient, robust 
and provably secure in the random oracle model. 

From a practical point of view, the implicit certificate scheme has the follow- 
ing drawbacks: 

— The scheme itself generates a key pair for the user. Therefore, it cannot be 
used to generate an implicit certificate for a given key pair of the user. 

— The scheme produces a key pair which is defined over the same group as the 
CA’s key pair is. Therefore, the security parameters for the certified public 
keys are always inherited from the certifying CA. 
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Abstract. In a confirmer signature, verification of a signature requires 
collaboration of the confirmer. A Fail-Stop Confirmer signature provides 
protection against an enemy with unlimited computational power. A 
Fail-Stop Confirmer signature is a combination of Fail-Stop Signature 
and Confirmer Signature Schemes which was first constructed in |l oj . In 
this paper we discuss security issues that will arise in naive construction 
of such systems. 



1 Introduction 

An ordinary digital signature 0 is verifiable by anyone who has access to the 
correct public key. If only a single recipient is to verify the signature, a zero- 
knowledge proof m can be used. Undeniable signatures P] are between these 
two: an undeniable signature can be verified by everyone but requires the help of 
the signer. The signer is able to reject invalid signatures, but he must not be able 
to deny valid signatures. If the signer is unavailable or unwilling to cooperate, 
the signature would no longer be verifiable. To overcome this shortcoming, the 
notion of confirmer signatures |E] is proposed. In confirmer signatures, the ability 
to verify or deny signatures is transferred to a designated confirmer. A generic 
construction of a confirmer signature scheme from a ordinary signature scheme 
is proposed in gj. 

Security of traditional signature schemes relies on some computational as- 
sumptions. This means that if an enemy can solve the underlying hard prob- 
lem, he can successfully forge a signature and there is no way for the signer to 
prove that a forgery has occurred. To provide protection against an enemy with 
unlimited computational power, Fail-Stop Signature (FSS) schemes have been 
proposed An FSS scheme is a signature scheme equipped with an algo- 

rithm to prove a forgery has happened. To achieve this property, many secret 
keys match to the same public key and the sender uses a specific one of them. An 
unbounded enemy can find out the set of all secret keys but cannot determine 

* This work is in part supported by Australian Research Council Grant Number 
A49703076 
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which secret key is actually used. So in the case of forgery, that is generating a 
signed message that passes the verification test, the sender can use his secret key 
to generate a second signature for the same message which with overwhelming 
probability will be different from the forged one. The two signatures on the same 
message can be used as a proof that the underlying computational assumption 
is broken and the system must be stopped - hence the name fail-stop. Thus, FSS 
schemes provide information-theoretic security for the signer. However security 
for the receiver is computational. An FSS in its basic form is a one-time dig- 
ital signature that can only be used for signing a single message. However, it 
is possible to extend an FSS scheme to be used for signing multiple messages 

mm . 

A Fail-Stop Confirmer Signature (FSCS) scheme, introduced in com- 
bines the confirmer signature property with the fail-stop property. The purpose 
of FSCS is to provide information-theoretic security for the signer and maintain 
the confirmer property, so that when the signer is unavailable, the confirmer is 
able to verify the signature. 

In this paper, we propose a model of FSCS scheme and show the difficulties 
of constructing one. 



1.1 Previous Works 

Confirmer Signature Scheme is introduced in |||. Okamoto presented a formal 
model and proved that the existence of confirmer signature schemes are equiva- 
lent to the public-key encryption schemes m and presented a practical scheme. 
However, it is shown m that Okamoto’s scheme is insecure because the con- 
firmer can forge a signature. Michels and Stadler na proposed a solution to 
Okamoto’s problem by introducing a new model. However, as pointed out in 
P], their model is vulnerable to an adaptive signature-transformation attack 
(which is similar to security against adaptive chosen-ciphertext attacks El for 
encryption schemes) and that all previous schemes are vulnerable to this attack. 
Camenisch and Michels presented a generic construction for confirmer signature 
schemes that does not suffer from the adaptive signature-transformation attack. 

Fail-Stop Signature (FSS) schemes protects the signer information theoreti- 
cally against an unlimited forger. The first construction of FSS m uses a one- 
time signature scheme (similar to j l 3j ) and results in bit by bit signing of the 
message, which is impractical. In US! an efficient single-recipient FSS to protect 
clients in an on-line payment system, is proposed. The main disadvantage of this 
system is that signature generation is a 3-round protocol between the signer and 
the recipient which makes it expensive from communication point of view, van 
Heijst and Pedersen P3| proposed an efficient FSS that uses the difficulty of dis- 
crete logarithm problem as the underlying assumption. In the case of a forgery, 
the presumed signer can solve an instance of the discrete logarithm problem, 
and prove that the underlying assumption is broken. 

In 1 1 Yl I t)j , a formal definition of FSS schemes is given and a general construc- 
tion using bundling homomorphism is proposed. The important property of this 
construction is that it is provably secure against the most stringent type of attack 
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on signature schemes, that is adaptive chosen message attack ^3 • The proof of 
forgery is by showing two different signatures on the same message, the forged 
one and the one generated by the valid signer. To verify the proof of forgery 
the two signatures are shown to collide under the ‘bundling homomorphism’. 
The scheme by van Heijst and Pedersen m is an example of this construction. 
Heijst, Pedersen and Pfitzmann also gave an example of this construction 
that uses the difficulty of factoring as the underlying computational assumption 
of the system |51|. Other works in this area include general con- 

struction of FSS from authentication codes has been given in m and has been 
used to construct an efficient FSS to sign long messages m 

A Fail-Stop Confirmer Signatures (FSCS) combines the property of Con- 
firmer Signature and FSS schemes. The first construction of FSCS was proposed 
in HS|. The scheme is an extension of an FSS scheme proposed in ra- 

1.2 Our Contributions 

In this paper, we define a model of FSCS scheme that has separability property 
P], that is, it allows all parties to independently run their key generation algo- 
rithms (cf. [ 1 0] 1. We propose a generic method for converting an FSS scheme 
into an FSCS scheme while maintaining its security properties. We show that 
an FSCS can be constructed from an FSS scheme combined with an encryption 
scheme. We discuss the security issues that arise in the FSCS scheme because 
of the unbounded enemy. In particular we show that the confirmer does not 
have any significance from security point of view and is mainly to provide non- 
transferability for the signatures. This shows that a simple combination of FSS 
and encryption schemes to construct an FSCS scheme is insecure. 

The paper is organized as follows. In the next section, we give a model for 
FSCS schemes and outline its security requirements. Section|3proposes a generic 
construction for FSCS schemes from FSS scheme and a secure encryption scheme. 
In section 2] we discuss the problem that happens in an FSCS model. Section 0 
concludes the paper. 

2 FSCS Model 

There exists a signer S, a confirmer C and a signature verifier V who are poly- 
nomially bounded. There is a trusted third party T A whose role is only required 
during prekey generation (and it can be eliminated by replacing its role with the 
recipient or the signature verifier). The enemy £ has unlimited computational 
power. 

A Fail-Stop Confirmer Signature (FSCS) scheme consists of the following pro- 
cedures: 
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— Prekey Generation: 

Let PKG{k,a,£) {xdtUd) is a probabilistic algorithm where k and a 
are the security parameters for the receiver and sender, respectively, and 
{xd.Vd) is a secret/public key pair for the TA (or trusted dealer). £ is the 
security parameter of the confirmer. 

— Key Generation: 

Consists of two probabilistic algorithms: KGS{) and KGC{), where KGS{) 
is performed by S and KGC() is performed by C. KGS{k, a, yo) {xs,ys) 
where yo is the public key of TA with the same security level (k,a) ob- 
tained from the algorithm PKG, and KGC{£,yD) — > (xc,yc)- {xs,ys) is a 
secret/public key pair for the signer S, and (xc,yc) is a secret/public key 
pair for the confirmer C. 

— Signing: 

A probabilistic algorithm GSig{m,xs,ys,yc) ^ that generates a signa- 
ture for a message m G {0, 1}*. 

— Confirmation and Disavowal: 

A signature verification protocol Ver{) between a confirmer C and a ver- 
ifier V. The private input of C is xc and their common input consists of 
m,5,ys,yc- The output of this protocol is either 1 (true) or 0 (false). 

— Proof of Forgery: 

A probabilistic algorithm PoF{m,S, S) will be performed by S 

to generate a proof of forgery in the case of dispute, where S and S de- 
note two signatures that pass Ver(). The output of this protocol is either rj 
(the proof of forgery) or T (fail) . If an enemy has successfully constructed a 
signature <5 on a message m, in which Ver{) outputs 1, then with an over- 
whelming probability the presumed signer S can run PoF{m^6,S), where 
5 <— GSig{m,xs,ys,yc) to show that the underlying hard assumption of 
the system has been broken. 

An probabilistic algorithm VerPoF{r], ys, yc) {0, 1} that allows everyone 
to verify the proof of forgery. It takes as input the proof of forgery t] together 
with the public information {ys,yc) and returns 1 if the proof of forgery is 
valid, or 0 otherwise. 

— Selective Convertibility: 

An algorithm CGonv{m, S,ys,xc,yc) {s, T} that allows a confirmer C to 
convert a confirmer signature S into an ordinary signature, that allows anyone 
to verify the signature without the help of the confirmer. If the conversion 
fails, the algorithm outputs T. 

— Signature Verification (Ordinary) : 

An algorithm GOVer{m, s,ys) {0,1} that allows everyone to verify the 
ordinary signature that is the output of GGonvi). It takes as input a message 
m, a signature s and the signer’s public key ys- 

Notions of Security 

The FSS scheme used in FSCS must be provably secure against adaptive chosen- 
message attack m]. In this type of attack, the adversary can choose messages 
and get the corresponding signatures. His task is to sign a different message that 
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has not been signed by the original signer such that the signature is identical to 
the one that should have been produced by the original signer. An algorithm is 
secure against adaptive chosen-message attack if the probability of the adversary 
producing such signature is negligible. 

Security Requirements 

In the following, we define the security requirements for the sender, confirmer 
and recipient of FSCS schemes. 

— Security for the Sender: 

Security for the sender S ensures that the confirmer signature and the con- 
verted signatures are unforgeable under an adaptive chosen-message attack. 
The signer S is protected information theoretically against an enemy with 
unlimited computational power, with security level a. For each message many 
signatures can be generated that pass verification test. The chance of an un- 
bounded enemy to construct the one produced by the true signer is bounded 
by 2“’’, where r is the bundling degree homomorphism HZ! which is the rel- 
evant security parameter. In the case of forgery, the presumed signer S can 
generate a proof of forgery with an overwhelming probability. 

— Security for the Confirmer: 

If the confirmer’s confirmation is forged, the presumed signer will always be 
able to generate a proof of forgery with overwhelming probability. 

— Security for the Receiver: 

The receiver is protected computationally against the sender and the con- 
firmer, which are polynomially bounded. The sender and the confirmer can- 
not falsely confirm or deny the signature with overwhelming probability. To 
be more precise, the security level for the receiver against the sender is mea- 
sured by k and the security level against the confirmer is measured by i. 
Therefore, for a sufficiently large k and i and c > 0, we require that 



— Collusion Attack against the Sender: 

The strongest attack in FSCS can be performed by an unbounded enemy 
who is colluding with the confirmer against the sender. In this case, the 
enemy (or the colluding confirmer) has the knowledge of xc together with 
his unbounded ability to solve the hard underlying assumption. Under this 
attack, we require that the signer is still protected information theoretically 
from the colluding enemy and confirmer, with appropriate security level (e.g. 




[d ^ CSig{m,xs,ys,yc)) A (1 ^ Ver{m,ys,yc,5)) A 
(5 (5) A (?7 is valid)'^ < (min(fc,£))~° 



a). 
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An FSCS scheme must satisfy the following security requirements. 

— Unforgeability of Signatures: 

There exists no polynomial time algorithm which on input ys,yc outputs 
with non-negligible probability an arbitrary correct message-signature pair 
{m,5) where 5 ^ 5 ior 5 CSig{m,xs,ys,yc) and _L^ PoF{m,6,S). 

— Consistency of Verification: 

If the confirmer is honest, for all Ver{) between a confirmer C and a verifier 
V and all (correct and incorrect) message-signature pairs (m, S) the following 
equation must hold 

Verim, ys,yc,5) = \\ X 5 , ys, Vc) 

I 0 otherwise 

Informally, this means that the honest confirmer will always confirm cor- 
rectly. 

— Non-transferability of Verification: 

The verification protocol Ver{) must be a minimum knowledge bi-proof (ac- 
cording to the definition of |^). Receiving the confirmation from C, the 
verifier V cannot reuse this proof to show someone else that the signature is 
valid. 

Definition 1. A (k,a,t)-secure FSCS scheme is an FSCS scheme in which the 
security level for the signer against an unbounded forger is a, security level for 
the confirmer is £, and the recipient is protected computationally against the 
sender and the confirmer with security level min(fc,£). 

3 A Generic Construction for FSCS Schemes 

In this section, we propose a generic construction for a FSCS scheme from an 
FSS scheme. This is a variation of the construction proposed in |2]. 

Let SIG = {SPKG, SKG, Sig,Ver) denote an FSS scheme, where SPKG 
is the prekey generation algorithm, SKG is the key generation algorithm, Sig 
is the signing algorithm and Ver is the verification algorithm Let ENG = 
{EKG, Enc, Dec) denote a public key encryption scheme. On input a security 
level, EKG outputs a key pair {x',y') where x' is a secret key and y' is the 
corresponding public key. On input y' and a message m, Enc outputs a ciphertext 
c, and on input the secret key x' and a ciphertext c, Dec outputs m. If c is not 
valid Dec outputs T. 

Given an FSS scheme and a secure encryption scheme, an FSCS can be 
constructed as follows: 

1. The key generators are chosen as 

- PKG{k,a) = SPKG{k,a); 

— KGS{k,a,yD) = SKG{k,a,yD), and 

- KGC{£)=EKG{£). 
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2. The signer signs a message m € {0, 1}* by constructing s := Sig{m,xs,ys) 
and (5 := Enc{s,yc)- The confirmer signature on m is given by 6. 

3. The confirmation and disavowal protocol Ver{) between the confirmer and 
a verifier is as follows: 

Receiving a confirmer signature S, the confirmer C decrypts S to obtain s := 
Dec{6,xc)- If Ver{m,s,ys) = 1, then C declares the signature valid. This 
is through a concurrent zero-knowledge 0 protocol between the confirmer 
and the verifier that proves to the verifier that “71 = Dec{S,j 2 ,yc) rind 
Ver{m,ji) = 1, and 72 is the secret key corresponding to yc” ■ Otherwise, 
the confirmer declares the signature invalid and proves in concurrent zero- 
knowledge that “(71 = Oec(5, 72) and Rer(m, 71, ys) = 0, where 72 is the 
secret key corresponding to yc, or decryption fails)”. 

4. The protocol to prove forgery is run by S in the case that there is a signa- 
ture (5 on a message m that passes the verification test performed with the 
confirmer C. 

S generates his signature on the same message s := Sig{in,xs,ys) and 
publishes it as the proof of forgery. 

The proof of forgery verification can be performed as follows: 

— Verify that Ver{s,ys) = 1- 

? 

— Compute S = Enc{s,yc) and verify that 5 ^ S. 

The above conditions show that S is different from S and both of the sig- 
natures pass the verification test. If the above conditions hold, the proof of 
forgery is valid and the scheme has to be stopped at this stage. 

5. The selective conversion algorithm CConv{m,S,ys,xc,yc) outputs s := 
Dec{5,xc) if Ver{m, Dec{S,xc),ys) = 1- Otherwise, outputs T. 

6. The public verification algorithm for converted signatures is defined as 

COVer{m,s,ys) = Ver{m,s,ys) 

3.1 Properties of the Signature and Encryption Schemes 

The above construction is based on a generic construction proposed in | 2 | and 
uses an FSS that is secure against adaptive chosen-message attack with a deter- 
ministic public key encryption scheme. 

Unlike 0, we do not require an encryption scheme that is secure against 
adaptive chosen-ciphertext attacks which demands the encryption scheme (for 
instance | 01 ) to be probabilistic. Using a probabilistic public key encryption 
scheme allows the signer to be able to deny his signature as shown below: 

1. The signer constructs s := Sig{m, xs, ys) and calculates 6 = Encp{s, yc, r), 
where Encp is a probabilistic encryption scheme and r is randomly selected. 

2. Publish (5 as an FSCS on m. 

The signer can always deny his own signature S by publishing s. This is because 
the verifier (who does not know r) will select an f which with overwhelming 
probability will be different from r, and produces a proof of forgery as follows: 
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— Verify Ver{s,ys) = 1, which will be true; and 

_ 7 

— Calculate S = Encp{s,yc,f) and check S ^ 5, which will also be true. 

Theorem 1. The above construction satisfies the security requirements men- 
tioned in section^ 

Proof (sketch). 

— Security for the Sender: 

The signature on m, s := Sig{m,xs,ys)i is obtained from an FSS that is 
secure against adaptive chosen message attack, with a as the security level 
of the signer. In the case of dispute, the proof of forgery PoF can always 
be generated with an overwhelming probability. The output of the selective 
conversion algorithm CConvif) is an FSS that has the same property as the 
original FSS signature. 

— Security for the Receiver: 

In the above construction, with overwhelming probability the sender cannot 
deny his signature and an honest confirmer cannot falsely confirm a signa- 
ture. The security level of the system for the receiver against the sender is k 
and against the confirmer is i. Since the signer is computationally bounded, 
he cannot find another secret key that matches with his public key and use it 
to create a signature that could be used for a proof of forgery (hence denying 
his own signature). In fact the chance of finding such a key is < where 
k is as defined above, and c > 0. 

4 Security Problems in FSCS 

The enemy in FSCS is unbounded and can solve the underlying hard problem(s) 
of the system. Hence he can always create a signature that will be confirmed. 
On the other hand this signature can be shown to be a forgery with a very high 
probability. This means that the confirmer’s role is strictly limited to making 
the signature untransferable and does not have any significance from the security 
point of view. 

On the other hand an unlimited enemy can find the secret key of the confirmer 
and fully impersonate him, not only generate false signatures but also run a false 
verification protocol with the recipient of a signature generated by the sender 
and reject the signature. That is, correctly generated signatures may be rejected. 

Both above security flaws exist in the scheme proposed in HS|. It seems that 
there is no easy way of correcting these problems as they are direct result of 
assuming the enemy has unlimited computational power. 

5 Conclusion 

In this paper we defined a model for Fail-Stop Confirmer signature (FSCS) 
schemes and proposed a generic construction for FSCS schemes using a com- 
bination of Fail Stop Signature schemes and encryption schemes. However as 
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discussed above, the resulting system will have security flaws that are not easily 
correctable. These flaws exist in a construction proposed in uni and so modelling 
and constructing a secure FSCS remains an interesting open problem. 
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Abstract. In this paper, we propose two digital signature schemes based 
on a third order linear feedback shift register. One of them is a normal 
signature scheme for signing document and the other is with encryption 
for intended reciever. These two signature schemes are different from 
most of the signature schemes which are based on discrete logarithm 
problem, elliptic curves discrete logarithm problem, RSA or quadratic 
residues. The efficient computational algorithm for computing term 
of a sequence is also presented. The advantage of these two schemes is 
that the computation is carried out in the ground field and not in an 
extension field. We also show that the security of these two signature 
schemes is equivalent to that of Schnorr signature scheme and Signed- 
ElGamal encryption scheme respectively. 



Key words : Cryptography; digital signature; shift register; discrete logarithm 



1 Introduction 

1.1 Background and Previous Results 

Since the concept of public-key cryptography was first invented by Difhe and 
Heilman [5| in 1976 which is based on the hardness of discrete logarithm problem 
(DL), many public key cryptosystems have been proposed and broken. 

Most successful unbroken and practical public key cryptosystems are RSA 
E2) and elliptic curves cryptosystem RSA was introduced by Rivest, 

Shamir and Adleman 12^ in 1978 and based on the intractibility of factorization. 
Elliptic curves cryptosystem was discovered independently by Koblitz m and 
Miller in 1985 and based on the hardness of elliptic curve discrete logarithm. 
All these public-key cryptographic algorithms are believed to be secured based on 
the assumption that no efficient algorithm has been found to solve the hardness of 
these problems. During the early eighties, although the public key cryptography 
was found not suitable for encryption due to their speeds, the concept of public 
key cryptosystem is risen to a new remarkable notion : digital signature. Since 
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then, many digital signature schemes were proposed based on discrete logarithm 
problem and RSA, for example, blind signatures 0, ElGamal signature HI , group 
signature 0, Schnorr signature signature with message recovery HU and 
RSA-based undeniable signature 0, etc. 

There were also many efforts to design alternative signature scheme that are 
based on other mathematical problems. For example, Ong-Schnorr-Shamir PI 
schemes proposed in 1984 based on low degree polynomials modulo a compos- 
ite number, namely, + ky^ = in (mod n). This scheme was subsequently 
broken by Pollard and Schnorr HU in 1987. A similar scheme was proposed 
by Shamir HU in 1993 and soon was broken by Coppersmith, Stern and Vau- 
denary 0. In 1997, Satoh and Araki proposed a signature scheme based on the 
non-commutative ring of quaternions and this scheme is a generalization of the 
Ong-Schnorr-Shamir PI scheme. But, this scheme was also subsequently broken 
by Coppersmith 0 in 2000. In this paper, we propose an alternative method to 
design signature schemes based on third order linear feedback shift registers. 



1.2 Our Contributions 

In this paper, we propose two new digital signature schemes based on third order 
linear feedback shift register and the hardness of discrete logarithm problem in 
an extension field GF(q^). The paper is organised as follows : 

In the following section, we discuss the cryptographic properties of a third 
order linear feedback shift register over GF{q). In section three, we give an 
efficient computational method for computing term of sequences on third 
order shift registers. In section four, we construct two digital signature schemes 
based on shift registers. Our signature schemes have the following features : 

1 . Our two signature schemes are proved to be based on the discrete logarithm 
problem over extension fields GF(q^). 

2. The security of these two schemes are equivalent to that of Schnorr signa- 
ture scheme and Signed-ElGamal encryption scheme respectively. 

3. The computational complexity to compute {k + term of sequences on 
third order shift registers is llH{n) + 3 multiplications in GF{q), where H{n) 
is the Hamming weight of integer n represented in binary representation. 

In section five, we examine the security of our two digital schemes and show 
that the security of our schemes are equivalent to that of Schnorr signature 
scheme and Signed-ElGamal encryption scheme respectively. 



2 Third Order Linear Feedback Shift Registers 



Let p be an odd prime and e any positive number. Let GF{q) be a finite field 
where q = p^ and 



/(x) =x^ - 



ax^ + bx — 1, a,b G GF{q) 
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be an irreducible polynomial over GF{q) of order Q = + q + 1. A sequence 

s = {sfc} generated by the polynomial f{x) is called the third order linear 
feedback shift register (LFSR) sequence over GF{q) if the elements of s satisfy 

Sk = ask-i — bsk-2 + Sfc-3; k > 3. 

with the initial values sq = 3, si = a and S 2 = — 2b. 

In order to distinguish the sequence {sfc} generated by f{x) = — ax^ + 

bx — 1, we also denote Sk by Sfc(a, b). Assume that «i, 02 , 0:3 are all roots of f{x) 
in the extension field of f{x) over GF{q), then according to Newton’s formula, 
the elements of s can be represented by the symmetric power sum of the 
roots as follows : 



Sk — Oi\ + a2 + 



Remarks : 

2 

1 . As the roots of f{x) conjugate each other, we have «2 = and as = af , 
then we have Sk = Sqk = 

2. The number of k coprime to + q + 1 is (p{q'^ + q + 1) and is approximately 
to where ^ is a Euler function. 

Let Sk = [sfc, Sk+i, Sfc+2] be a vector over GF{q), then s can also be obtained 
through matrix representation as follows : 

Sk = 

where Sq is a transpose of a vector Sq = [sQ) si: S 2 ] and 



0 1 0 
A= I 0 0 1 
1 —b a ^ 

If given an initial state Sk, we can represent a sequence Sk+n in the following 
form : 

Sk+n = A^Sl- 

Let Q = q^ + q+1 and for any k such that (k,Q) = 1, then we define fk{x) 
as follows : 



fk{x) = {x- as)(x - a. 2 ){x - a^) 

3 3,3 3 






= X" — > a'ix + a;- a;- )x — | | a'- 

i—l i—1 



)x-n< 
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By some calculations, we have 



3 

i=l 

3,3 

= s-k, 

na‘ = l. 

Hence, we have 



fk{x) = - SkX^ + S-kX - 1. 



( 1 ) 



Lemma 1. (Corollary 3.47, ITT]/ ) An irreducible polynomial over GF{q) of de- 
gree n remains irreducible over GF{q^) if and only if (k,n) = 1. 

With the above Lemma, we know that an irreducible polynomial of degree 3 
over GF{p) will be irreducible over GF(p^). For example, + 1 is irreducible 

over GF{7) and it is also irreducible over GF{7'^) by Lemma 0 

Now, we list the following Theorem that has important properties to con- 
struct digital signature schemes : 



Theorem 1. Let f{x) = x^ — ax^ bx — 1 be an irreducible polynomial over 
GF{q) of order Q where Q = q^ q-\- 1 and let s be the sequence generated by 
f{x). Then, 

(a) For any integer k with (k,Q) = 1 and fk{x) = x^ — Skx'^ + S-kX—1, we have 
(i) The order of fk{x) is Q, 

(a) fk{x) is irreducible ijf f{x) is irreducible, 

(b) For any positive integers k and d, we have 

Skisd{a, b),s-d{a, b)) = sm ( o , b) 

= sd{sk{a,b),s-k{a,b)) 



Proof : 

(a) (i) Note that and Oi are roots of fk{x) and f{x) respectively and both 
have the same order iff (fc, Q) = 1. (ii) follows (i) immediately and the fact that 
Q\{q^ - 1) and Q > q^. 
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(b) Since Sd{a, b) = af + + cTg and s/c(a, 6) = we have 



Sk{sd{a,b),s-d{a,b)) 



{af)>^ + iair + iatr 

^dk , dk , ^dk 
ai + Q!2 + 0^3 

Skd{a,b). 



We also have the following : 



Sd{sk{a,b),s-k{a,b)) 



{a>ir + {a^,r + {air 

^dk I ^dk I ^ dk 

ai + a2 + a3 

Skd{a,b). 



Hence, we complete the proof. 

We denote a coset leader of a set 5 = {tq^ mod Q | 0 < i < 2} be a smallest 
integer in a set S. In fact, a coset leader is closely related to distinct polynomials. 
We state this property in the following theorem. 



Theorem 2. Let f{x) = — ax'^ + bx—l be an irredueible polynomial of order 

Q over GF{q), where Q = q^ + q + 1. Let k and k' be relatively prime to Q and 
different eoset leaders modulo Q, then 

{sk, s-k) yf {sk',s-k')- 



Proof : If (sfc, S-k) = {sk> , S-k'), then the polynomials fk{x) and fk> {x) are equal 
and let their roots be a^ and a^ respectively. Then a^ and are conjugate 
of each other. This means that there exists an integer t where 1 < t < 2 such 
that k = k'q* mod Q. This contradicts the fact that k and k' are different coset 
leaders modulo Q. Hence, we have the result. 



3 Fast Computational Methods 

In jSI, the authors give an algorithm to calculate the k*^ term of a third order 
sequence over GF{q) through the following formula : 

^2n — — n 



— -^n+m ^n— 2 m 
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Now, we simply extend the algorithm given in 0 to GF{q) as follows : 

Algorithm 1 : Given f{x) = — ax^ + — 1 be an irreducible polynomial over 

GF{q) and k any number, we express k = where ki € {0, 1} and 

r = log q^ . Let Kj = kj + 2Kj-i with Kq = fcg yf 0, then Sk and S-k can be 
calculated as follows : 

la) For fcj = 0, we have 

= SK^_iSKj.i-l - bS-K^_i + + 

SK, = Sk._, - 2s-k^_, 

SKj + 1 = SKj.iSKj.i + 1 - aS-Kj.i + 

la) For kj = 1, we have 

SK,-1 = s\._, - 

SKj = SKj.iSKj_,+l - as-Kj.i + S_(X,-_1-1) 

SKj + l = Sk^.1 + 1 - 2S-_K-j_i + l 

The author in also further showed that with the above algorithm, to 
calculate the terms of Sk and s_fc, we need 91ogfc modulo q multiplications 
on the average. 

As the algorithm 1 is only suitable for those k which is known and it is not 
possible to calculate those sequences Sk+n for unknown k and known n. We give 
an algorithm, called Algorithm 2, to calculate such sequence as follows : 

Let p be an odd prime and e any positive integer. Let GF{q) be a finite field 
where q = p^ and 



/(x) = x^ — ax^ + bx — 1, a,b G GF{q) 

be an irreducible polynomial over GF{q) of order Q = q^ + q + 1. Then, a 
sequence s = {sfe} can be calculated as follows : 

Sr,+k = A'^Sl, 

where Sk = [s/c, Sk+i , Sfc+ 2 ] be a vector over GF{q) and S'J a transpose of a vector 
Sk ■ We know that the complexity of the general method for matrix multiplication 
is 27 multiplications in GF{q). Furthermore, Blaser ^ showed that the lower 
bound for multiplicative complexity of nxn matrix multiplication is — 3n 
and for n = 3, the lower bound is 13.5. Therefore, in this section, we will discuss 
an efficient method for matrix multiplication and then derive an efficient method 
to compute A". 

For any x" mod /(x), where n > 2, we can express it as follows : 



x” = C2X^ + cix + Co mod /(x). 
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where Ci are in GF{q) for 0 < t < 2 . Then, there is a one-to-one expression for 
matrix A" as follows : 

A" = -I- c\A + cqI mod f{x), 

where / is an identity matrix. 

Algorithm 2 : Given /(x) = — ax^ + bx — 1 , a,b G GF{q) be an irreducible 

polynomial over GF(q) and its companion matrix A. For any integer n, we can 
calculate A" as follows : 

Step 1 : Let r = log2(g^-l-(7-l-l), express n = X)i=o ^ binary representation, 

where Ui G { 0 , 1 } and 0 < i < r — 1 . 

Step 2 : Compute , • • • , x^ mod /(x) and stores these values. Also computes 
A2 as follows : 

/O 0 1 \ 

= il -b a . 

\a 1 — ab a'^ — b J 

Step 3 : Compute x” = 01=0 /(^) the result, say, 

x" = C2X^ -I- cix -I- Co mod /(x) 

Step 4 : Compute A” as follows : 

A" = C2A^ -I- Cl A -I- cqI mod /(x). 

Let the two polynomial be 02X^ -I- oix -I- oq and 622;^ -I- &ix -I- bo, where at and 
bi are in GF{q), where 0 < i < 2 , then the usual multiplication is 

(o2X^ -I- oix -I- oo) * {b2X^ + b\x + bo) 

= 02622;'* + (0162 + 026i)x^ -I- (0260 + 0062 + oi6i)x^ -I- (oi6o + oo6i)x -I- oo6o 
This will take 9 multiplications. Now, we do the multiplications as follows : 

(oo -l- oi) * (60 + 61) = oi6i -|- aobi + aibo + aobo (2) 

(oi -I- 02) * (61 -I- 62) = ai6i -I- 0261 -I- 01&2 + 0262 ( 3 ) 

(oo -l- 02) * {bo + 62) = ciobo F 0260 + 0062 + 0262 ( 4 ) 

Then, we have 



01&2 + Q261 — ( 3 ) — Oi6i — 02&2 
aibo + aobi = (2) — oi6i — aobo 
02^0 + oo&2 + Q161 = ( 4 ) — aobo — 0262 + 0161 
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With the above calculations, we only require to carry out 6 multiplications 
in GF{q) which is faster than the usual polynomial multiplications. For and 
mod f{x) will take 5 multiplications in GF{q). Hence, the total number of 
multiplications in GF(q) for two polynomials multiplication modulo f{x) is 11. 

The complexity of an algorithm of computing Sk+n is discussed in the fol- 
lowing theorem. 



Theorem 3. Given a matrix A and initial vector Sk = [sfc, Sfc+i, Sfc+ 2 ], then 
there is an efficient algorithm that computes Sk+n = [sk+n, Sk+n+i, Sk+n+ 2 ] by 
Sk+n = A"S'[ with the computational complexity o/(lliJ(n)-|-3) multiplications 
in GF{q) and 3(r — 2) log 2 q bits of memory to store polynomials x^ , • • • , 
mod f{x), where H{n) is the Hamming weight of n in the binary representation 
and r = log 2 {q^ + q+1). 

Proof : In step 2 of the Algorithm 2, it is easily calculated that the number of 
memory to store mod f{x) for 2 < t < r — 1 is about 3(r — 2) log 2 q. There 
is no storage required for as the first row is (0,0,1), the second row is the 
polynomial representation of f(x) and the third row is the same as that of the 
coefficient of mod /(x). In step 3, the number of polynomials multiplication 
required is H{n) and the complexity of two polynomial multiplications take 11 
multiplications in GF{q). Hence, we have the result and completed the proof. 

Remarks : 

1. If log < 7 ^ = 1024, then the memories required to store x^ , for 2 < i < r — 1 is 
85 K bytes. 

2. The above algorithm is suitable for parallel computing implementation, for 
example, we can implement three multipliers in GF{q) with less complexity than 
one multiplier in GF(q^). 

4 Digital Signature Schemes 

A digital signature is an electronic version of handwritten signature for digital 
documents and these are used in many applications, for example, signing docu- 
ment, electronic cash, electronic payment system, electronic voting and electronic 
auction, etc. We will discuss some of the applications by the different require- 
ments of the signature schemes in the following subsections. A signature scheme 
normally involves three stages, that is key generation, signature generation and 
verification of message. We now give a formal definition as follows : 

Definition 1. A signature is defined as : 

- The key generation algorithm Q . On input , where k is the security parameter, 
the algorithm Q produces a pair (Kp,Ks) of public and secret keys. 

- The signing algorithm E. Given a message m and a pair of public and secret 
keys (Kp,Ks), E produces a signature a. 

- The verification algorithm V. Given a signature a, a message m and a public 
key Kp, V tests whether a is a valid signature of m with respect to Kp. 
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Now, we describe various digital signature schemes in the following subsec- 
tion: 



4.1 A Normal Digital Signature Scheme 

This scheme is usually used as a digital signature for signing document to provide 
non-repudiation and anyone who knows the public key could verify the signa- 
ture. Among the best known signature schemes were constructed by ElGamal 
0 and Schnorr |21|. Both were constructed from finite field over GF{p). In this 
subsection, we construct a new signature scheme which is based on 3*^ order 
shift registers. The construction is described as follows : 

Key Generation : Let h be a one way hash function, p an odd prime number and 
e any positive number. Let q = p^ and f{x) = — ax'^ -|- — 1 be an irreducible 

polynomial over GF{q) of order Q = q"^ + q + 1. A signer, Alice, first chooses a 
secret key 2 ; that satisfies 0 < z < Q and (z, Q) = 1 and computes her public 
key Sz(a, b), S-z{a, b) by using Algorithm 1. 

Signature Generation : To sign a message m, Alice performs the following to 
generate a signature for message m : 

(S-1) Choose a random number k that satisfies 0 < k < Q and (fc, Q) = 1. 

(S-2) Compute Sk{a,b), Sk+i{a,b), Sk+ 2 {a,b) by using algorithm 1. 

(S-3) Compute hi = h(m, Sk, Sk+i, Sk+ 2 )- If (hi,Q) ^ 1, then go back to S-1 
otherwise proceed to S-4. 

(S-4) Compute t such that t + k = h\Z mod Q. 

Then, (t, s^, s^+i, Sfc+ 2 ) is a signature for message m that Alice sends to Bob. 

Signature Verification : After Bob receives the signature {t, Sk, Sk+i, Sk+ 2 ), he 
first computes hi = h{in, Sk, Sfc-i-i, Sfc+2) and checks the following equation : 



^k-\-t — ^zhi 



where Sk+t and Szhi can be computed using Algorithm 2 and Algorithm 1 re- 
spectively as follows : 



Sk+t = A^Sk 



and 



Szhi = Shi{sz{a,b),s-z{a,b)) 

If Sk+t and Szhi are equal, then it is a correct signature, otherwise it is 
incorrect. 

The security of this signature scheme will be discussed in section 5. 
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4.2 A Signed Encryption Scheme 

In some cases, we want to encrypt a message with a signature for an intended 
receiver. This type of signature can only be verified and decrypted by the in- 
tended receiver. This is different from the previous signature and could only be 
verified by intended receiver, which is called signed encryption. One of the best 
well-known signed encryption scheme is signed ElGamal encryption scheme m- 
In this subsection, we construct a new signed encryption scheme as follows: 

Key Generation : Let h he a, one way hash function, p an odd prime number 
and e any number. Let q = and /(x) = x^ — ax^ -I- 6x — 1 be an irreducible 
polynomial over GF{q) of order Q = q“^ + q + 1. A signer, Alice, first chooses a 
secret key z that satisfies 0 < z < Q and (z, Q) = 1 and computes her public 
key Sz{a, b),S-z{a, b) by using Algorithm 1. If a signer, Alice, wishes to send an 
encrypted and signed message to Bob, she needs to know Bob’s public key. First, 
Bob chooses a secret key r that satisfies h <r < Q and (r, Q) = 1 and computes 
his public key Sr{a, b), S-r{a, b) by using Algorithm 1. 

Signature Generation : To sign and encrypt a message m, Alice performs the 
following steps for a signature of message m : 

(SS-1) Choose random number u that satisfies 0 < u < Q and (u, Q) = 1 
and compute s„, S-u and Sur = Su{sr{a,b), s-r{a,b)) by using Algorithm 1. If 
Sur = 0, then go back to SS-I otherwise proceed to SS-2. 

(SS-2) Choose random number k that satisfies 0 < k < Q and (fc, Q) = 1 and 
compute Sk, Sk+i, Sk +2 by using Algorithm 1. 

(SS-3) Compute mi = msur and hi = h{sk, Sk+i, Sk+ 2 , Su, S-u,mi). If (hi,Q) yf 
I, then go back to SS-2, otherwise proceed to SS-4. 

(SS-4) Compute t such that t+k = hiz mod Q. 

Then Alice will send (sfc, s^+i, Sfe+ 2 , S-«, mi,t) to Bob as a signature and 
encryption of message m. 

Signature Verification : Upon receipt of the signature {sk, Sk+i, Sk+ 2 , Su, S-u, 
mi,t), Bob first computes hi = h{sk, Sk+i, Sk+ 2 , Su, S-^mi) and checks the 
following equation : 



^k-\-t — ^hiz^ 

where Sk+t and Sh-^z can be calculated using Algorithm 2 and Algorithm 1 re- 
spectively as follows : 



Sk+t = A*Sk 

and 

Shiz = Shi{szia,b),s-z{a,b)). 

If Sk+t and Sh^z are equal, then it is a correct signature, otherwise it is 
incorrect. For the correct signature. Bob is able to obtain message m as follows: 
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m = mijsur, 

as Bob knows his own secret key r and he is able to calculate Sur as Sur = 
Sr{su{a,b), S-u{a,b)) by using Algorithm 1. 

5 Security of Signature Schemes 

To cryptanalyse a signature scheme, it is basically done by forgeries. There are 
three kinds of well known cryptanalysis for forgeries. 

a) Total break : An adversary is able to recover the secret key of the signer. This 
is the most serious attack of the system. It means that the scheme cannot be 
used totally. 

b) Universal forgery : An adversary is able to construct an efficient algorithm 
which is able to sign any message. 

c) Existential forgery : An adversary is able to generate new message-signature 
pair but the message may not be meaningful. 

Based on the above type of attacks, we analyse the security of these signature 
schemes in the following Theorems. Normal and signed encryption schemes are 
quite similar except that the later is with encryption. We will analyse the two 
schemes together. First, we show that the security of these signature schemes 
are based on the difficulty of solving the discrete logarithm problem in GF(q^) 
and in general linear group. Following that, we show that the security of a 
normal signature scheme and a signed encryption scheme are equivalent to that 
of Schnorr scheme and Signed-ElGamal encryption scheme. 



Definition 2. The discrete logarithm problem (DL) is the following : given a 
finite cyclic group Q, a generator g of Q and an element a, find an integer x, 
\ < X <\Q \ —1 such that a = g^ holds. 

Now, we define a similar concept of discrete logarithm problem in shift reg- 
ister as follows : 



Definition 3. The shift register type of discrete logarithm problem (SR-DL) is 
the following : given (sk,S-k) and (si,s_i), find an integer k, 1 < k < — 1 

such that Sk = Sfc(si,s_i) holds. 



Theorem 4. The SR-DL is equivalent to DL problem. 

Proof : 

(=^) Given (sk,S-k) and (si,s_i), then a polynomial fk{x) can be formed by 
Theorem 1 and its roots can be easily calculated. Let a and (3 be the roots 
representation of f{x) and fk{x) in the field GF(q^) respectively. Then, there 
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exists some i, 0 < * < 2 such that (3 = a‘^ ^ in GF(q^). Now, if there exists an 
efficient algorithm to find k from (sk, S-k) and (si, S-i), then we can also easily 
find q^k such that (3 = a'^ ^ which is a DL problem. Hence, SR-DL implies DL 
problem. 

(<J=) Given a and j3, if we can find k such that (3 = then we have (3’^ = a'^ ^ 
for 0 < * < 2 and we can form the polynomial fk(x). Then, we have (sk,S-k)- 
Hence, for a given (sk,S-k) and (si,s_i), there is an efficient algorithm to find 
k such that Sk = Sfe(si,s_i). Therefore, this shows that DL problem implies 
SR-DL. Hence, we proved that SR-DL is equivalent to DL problem. 

In P3j, Menezes and Wu showed that the discrete logarithm problem in 
general linear group GL(n,q), a set of nxn nonsingular matrices over GF(q), 
can be reduced to the discrete logarithm in the small extension field of GF{q). 
The discrete logarithm problem in GL(n,q) is to find k, given nxn matrices A 
and B and in GF{q) such that B = A^. Let the factorization of the characteristic 
polynomial pa{x) of A over GF{q) be pa{x) = /i ’ ’ ’ /«“> where the degree 
of fi is nii- Menezes and Wu showed the following theorem : 



Theorem 5. m The discrete logarithm problem in GL(n, q) is reduced to the 
discrete logarithm in GF{q^'), 1 < i < u. 

If a characteristic polynomial is irreducible and we called its companion ma- 
trix an irreducible matrix, then we have the following corollary. 



Corollary 1. The discrete logarithm of irreducible matrix in GL{n,q) is reduced 
to the discrete logarithm in GF{q'^). 

From the above Theorem 4, we know that it is impossible for adversary to 
find the secret key with the knowledge of Sz and S-z- Furthermore, it is also 
difficult to find random number k. From the Corollary 1 and Theorem 4, it is 
also difficult to find k + t with the knowledge of Sk+t- Hence, the two signature 
schemes can withstand the first attack. 

In and |^, the authors have showed that Schnorr signatures over GF{p) 
is secured against the adaptive chosen message attack using random oracle 
model. In the following theorem, we show that our normal signature scheme 
and Schnorr signature scheme are equivalent under the same group of order Q. 
Let g be a generator of a group of order Q and /i is a one-way hash function. 
Let z be a secret key and public key is g^. Choose a random number k, then a 
signature of a message m is generated as follows: 

hi = h{m,g’^),k + t = h\z and g^^* = ■ 

The signature of m is {g^,t)- 
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Theorem 6. Our normal signature scheme is equivalent to Schnorr signature 
scheme. 



Proof : 

(=^) Given our normal signature scheme, we have a signature (t, Sk- 2 , Sk-i, Sk) 
and the following relations : 

^k-\-t — ^h\Z 



and 



k + t= h\z mod Q. 

Hence, we have 

— {k + t) = —h\Z mod Q 

and 

■S— (fc+t) = S—hiz- 

As we know (hiz,Q) = 1, where Q = + q + 1, then {k + z,Q) = 1. 

Then, by equation (1), we can form polynomials fk+t{x) and fhiz{x). These two 
equations are equal and their roots can easily be calculated. Let and 
be their roots of fk+t{x) and fhiz(x) respectively, where a is a root of f{x) 
and in GF{q^). Then, we have with k + t = h\z which is Schnorr 

signature scheme. Hence, our normal signature scheme is reduced to Schnorr 
signature scheme. 

(■t^) Similarly, given Schnorr signature scheme, we have and k-\-t = 

h\z. We have 

and 

(«'=+*)«" = 

Therefore, we have Sk+t = Sh^z and k + t = h\z, which forms our normal 
signature scheme. Hence, our normal signature scheme and Schnorr signature 
scheme are equivalent. This completes the proof. 

As our signed encryption scheme is quite the same as a normal signature 
scheme, except that the first is with encrypted message. Therefore, we have the 
following theorem. 



Theorem 7. Our signed encryption scheme is equivalent to Signed-ElGamal 
encryption signature scheme. 

Hence, from Theorem 6 and Theorem 7, we can conclude the following the- 
orem. 



Theorem 8. (i) The security of our normal signature scheme is equivalent to 
the security of Schnorr signature scheme. 

(a) The security of our signed encryption scheme is equivalent to the security of 
Signed-ElGamal encryption scheme. 
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6 Conclusion 

In this paper, we proposed two digital signature schemes based on a 3rd order 
linear feedback shift register over GF{q). We show a method of implementing 
these two schemes efficiently. We show that the security of the two schemes re- 
lies on the discrete logarithm over GF{q^). Furthermore, we also show that the 
security of these two signature schemes is equivalent to that of Schnorr signa- 
ture scheme and Signed-ElGamal encryption scheme respectively. The methods 
presented here can lead to many construction of digital signature schemes over 
GF{q^) and it is expected that more signatures could be constructed from 3rd 
order linear feedback shift register. The other advantage of this method is that 
the computation is carried out in GF{q) and not in GF(q^). 
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Abstract. A distributor of digital contents desires to collect nsers’ at- 
tributes. This is because the distributor can grasp the image of users, and 
work out the marketing strategy. On the other hand, the users do not 
desire to offer the attributes owing to the privacy protection. For anony- 
mous surveys, a protocol to generate statistical results of the attributes is 
previously proposed, where the extra information is not released beyond 
the statistical results. However, in the simple application of this protocol 
to the surveys, the correctness of the statistical results is not assured, 
since the users do not necessarily offer the correct attributes. In this 
paper, under the assumption that some trusted third parties exist, an 
anonymous statistical survey system of attributes with the correctness 
is proposed. 

Keywords: Statistical survey of attributes. Anonymity, Group signature 
scheme. Shuffle, Threshold cryptosystem 



1 Introduction 

Recently, digital contents have been distributed on the computer network for the 
commercial purpose, where the distributor sends users the digital contents in- 
cluding texts, images and sound, while the users watch advertisements or pay the 
distributor the money. It is desirable that these services are conducted anony- 
mously, since otherwise the distributor can collect the history that indicates 
which contents a user utilizes and furthermore the distributor may leak the his- 
tory to others. By contrast, the distributor wants to grasp the image of users, 
since the distributor can work out the strategy according to the image. This 
may also benefit the users, since they may obtain the more suitable contents. 
One method to grasp the image is to collect the attributes of the users, which 
are concretely the gender, age, job and so on. However, even if offering the at- 
tributes during the services is conducted anonymously, offering many attributes 
may help the distributor to trace the identity of the user. Only the statistical 
results of the attributes may give the distributor useful information to grasp the 
image. 

In m , Sako proposes a protocol executed among several trusted third parties 
(TTPs) in order to generate statistical results of attributes for anonymous survey 
systems. The merit of this protocol is that it releases no extra information beyond 
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the statistical results. Each TTP is in charge of each attribute type, and the TTP 
obtains only the information of the corresponding attribute type. The TTP’s 
input is the set of the ciphertexts encrypted with the TTP’s public key from 
attribute values on the corresponding attribute type. The output is only the 
statistical result of the attribute type. By using this protocol, the anonymous 
survey system of attributes is simply constructed as follows: A user sends the 
distributor the ciphertexts of the user’s attribute values, and the distributor 
collects them. After collecting a certain amount of ciphertexts, the distributor 
gives the TTPs them to execute this protocol. Then, the distributor can obtain 
the statistical results of all attribute types without the extra information. This 
protocol has a mechanism to detect a TTP that does not obey the protocol, and 
thus it is assured that the results are correct if the inputs are correct, that is, 
the attribute values in the ciphertexts are correct. However, in the above simple 
survey system, since the user does not necessarily send the correct attribute 
values, it is not assured that the statistical results are correct. 

This paper proposes an anonymous statistical survey system of attributes 
with the correctness. In this system, a set of multiple TTPs, called trustees, is in 
charge of every attribute type. Unless a quorum of the trustees is corrupted, the 
statistical results are generated without releasing any extra information to even 
each trustee. In addition, to verify that a user commits the correct attribute 
values, this system introduces an attribute authority as the additional TTP. 
The attribute authority assures the correspondence between the user’s genuine 
attribute values and the committed values. In the proposed system, extensions of 
the group signature scheme |2|, verifiable shuffle protocols |3j and the threshold 
cryptosystem P] produce the correctness along with the anonymity. 

This paper is organized as follows: Section 2 shows a model of the anonymous 
statistical survey system of attributes. Next, as the cryptographic tools used in 
the proposed system, signatures based on zero-knowledge proofs of knowledge 
(SPKs) which are also used in the group signature scheme, a verifiable shuffle 
protocol and a threshold cryptosystem are reviewed in Section 3. Then, the 
overview and detailed construction of an anonymous statistical survey system of 
attributes are described in Section 4 and 5, respectively. Its security is discussed 
in Section 6. Finally, Section 7 concludes this paper. 



2 A Model of Anonymous Statistical Survey System of 
Attributes 

The participants in an anonymous statistical survey system of attributes are an 
attribute authority, users, a distributor, and trustees. The attribute authority 
is a TTP, and the authority assures the correspondence between the user’s gen- 
uine attribute values and the encrypted values which are offered from the user. 
The trustees are also TTPs, and it is assumed that a quorum of them is not 
corrupted. The survey system consists of the setup, registration, offering, and 
generating protocols. In the setup protocol, the secret and public keys of the at- 
tribute authority and the trustees are set up. In the registration protocol, a user 
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generates his secret key and public key, and is issued the attribute certificate for 
a registered value from the attribute authority. In the offering protocol, a user 
sends the distributor the encrypted values correspondent with user’s attribute 
values, whose validity is assured by the attribute certificate. In the generating 
protocol, given the encrypted values of many users, a quorum of the trustees 
outputs the statistical result of every attribute type. 

The requirements of anonymous survey system of attributes are as follows: 

Correctness: The statistical result is correct if the participants obey the pro- 
tocols. If a participant disobeys the protocols, it can be detected. 
Anonymity: The offering protocol is conducted anonymously. That is, the 
other party can not identify the user from a transcript of this protocol, 
and can not also link two transcripts w.r.t. the sameness of the user. Fur- 
thermore, the other party can not link a transcript of the offering protocol 
to the corresponding attribute values. 

3 Preliminaries 

3.1 Signatures Based on Zero-Knowledge Proofs of Knowledge 

The proposed system uses an extension of the group signature scheme in Pj. In 
this scheme, as primitives to prove the knowledge of secret values without leaking 
any useful information, signatures based on zero-knowledge proofs of knowledge 
(SPKs) are used. Since the proposed system also uses some types of SPKs, this 
subsection reviews the SPKs. These are converted from zero-knowledge proofs of 
knowledge (PKs) by the so-called Fiat-Shamir heuristic jSj- That is, the prover 
determines the challenge by applying a collision-resistant hash-function to the 
commitment and the signed message and then computes the response as usual. 
The resulting signature consists of the challenge and the response. Such SPKs 
can be proven to be secure in the random oracle model 0 given the security 
of the underlying PKs. Let SPK{{a, (3, . . .) : Predicates}{m) be the signature 
on message m proving that the signer knows a, /3, . . . satisfying the predicates 
Predicates. In this notation, Greek letters denote the secret knowledge and the 
other letters denote public parameters between the signer and the verifier. The 
proposed system is based on the hardness of the discrete logarithm problem as 
well as the group signature scheme 0. Thus, the relations among the discrete 
logarithms from cyclic groups are used as the predicates to prove. In the follow- 
ing, let G be a cyclic group with order q. The discrete logarithm of j/ G G to the 
base z G G is X G Zq satisfying y = ii such an x exists. This is extended to the 
representation of j/ G G to the bases zi, Z2, . . . Zk G G which is cci, X2, . . . G Zq 
satisfying y = ■ z^^ ■ ■ ■ z^’° if such XiS exist. The e-th root of the discrete 

logarithm of ?/ G G to the base z & G is x & Zq satisfying y = if such an x 
exists. 

The first type of SPK is the signature proving the knowledge of represen- 
tations of 2/1 , . . . , j/u, G G to the bases zi, . . . ,Zy G G on message m, and it is 
denoted as 
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A • • • A (j/„ = rij=i )}M, 

where constants h S { 1 , . . . u} indicate the number of bases on representation of 
t/i, the indices € { 1 , . . . , rt} refer to the elements ai, . . . , a„ and the indices 
bij G refer to the elements Zi, . . . ,Zy. For example, SPK{(a, j3) \ y\ = 

Zi^V2 = z^Z2}{m) is the SPK on m of an entity knowing the discrete logarithm 
of yi to the base z\ and a representation of ?/2 to the bases zi and Z2, where 
the 02-part of this representation equals the discrete logarithm of y\ to the base 
01- The second type is the SPK proving the knowledge of the e-th root of the 
discrete logarithm of j/ S G to the base z G G on m, and is denoted as 

SPK{j3:y= z>^‘}{ni). 

The third type is the SPK proving the knowledge of the e-th root of the 02-part 
of a representation of y G G to the bases 01, 02 G G on m, and is denoted as 

SPK{{j,S) : y = 0^0^ }(m). 

The efficient constructions of these types of signatures are concretely described 

in p. 

3.2 Shuffle and Threshold Cryptosystem 

We define a shuffle protocol as the following protocol: Given a list of ciphertexts 
(ci, . . . , ctv), multiple parties output a list of permuted ciphertexts (c^, . . . , c'^) 
satisfying Dec{cj) = Dec{c'^f^^^) for all j, where Dec is the decryption function 
and 7 T is a permutation. Furthermore, it is infeasible to determine 7 t(j) for any 
j with non-negligibly better probability unless the parties cooperate, since the 
permuted ciphertexts are randomized. In [^, a shuffle protocol of the ElGamal 
encryption is proposed for constructing the Mix-net. Since the parties may dis- 
obey the shuffle, the shuffle should be verifiable, which is brought by the parties’ 
proving the correctness of their actions without revealing their random factors. 
In | 3 | a PK to prove the correctness is also proposed, which is used in this survey 
system together with the shuffle protocol. 

We also use the idea of threshold cryptosystem ^], where a quorum of parties 
cooperatively decrypts a ciphertext w.r.t. the parties’ public key. As well as the 
above shuffle, since the parties may disobey the decryption, the decryption pro- 
tocol should be also verifiable, that is, the correctness should be proved without 
revealing their secret keys. In | 2 |, an ElGamal threshold decryption protocol and 
a PK to prove the correctness are also proposed. 

4 Overview 

Before the proposed system is described, the overview is shown. In the system, 
the group signature scheme | 2 | is used to assure that a user offers the correct 
attribute values. 
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Group signature scheme |2j: The group signature scheme allows a group mem- 
ber to anonymously sign on group’s behalf. Furthermore, the anonymity of the 
signature can be revoked by a revocation manager. The scheme consists of setup, 
registration, signing, verification, anonymity revocation protocols. The protocols 
are informally as follows: 

Setup protocol: The group manager sets up public and secret keys on a digital 
signature scheme, and the revocation manager sets up public and secret keys 
on a public encryption scheme. 

Registration protocol: When a user wants to participate in the group, the 
user sends the group manager f{x) together with his identity, where / is a 
public one-way function and x is the user’s secret key. Then, the manager re- 
turns his digital signature on /(x), denoted as DS{f{x)), as the membership 
certificate. 

Signing and verification protocol: As the group signature on a message m, 
a group member computes d = Enc{f{x)) and p = SPK{{a,P) : d = 
Enc{f {a)) f\ (3 = DS{a)}{m), where Enc is the encryption function with the 
revocation manager’s public key. Its verification is accomplished by verifying 
the SPK. 

Anonymity revocation protocol: When the anonymity of a signature (d,p) 
is revoked, the revocation manager decrypts d to obtain f{x). Through the 
registration transcript including /(x), the identity of the signer is found. 

The proposed anonymous statistical survey system uses the group signature 
scheme, where the group manager is replaced by the attribute authority and 
the revocation manager is replaced by the trustees. The informal descriptions of 
protocols are as follows. For the simplicity, the case of one attribute type is only 
described. 

Setup protocol: The setup protocol of the group signature scheme is con- 
ducted, where the trustees cooperatively set up keys of the threshold cryp- 
tosystem. 

Registration protocol: The registration protocol of the group signature 
scheme is conducted, where the attribute authority preserves the attribute 
value of the registering user instead of the identity. Thus, each /(x) is cor- 
respondent with each attribute value, and /(x) is called the attribute index. 
The list of the indices and attribute values of all users is made public. Fur- 
thermore, the membership certificate plays the role of the attribute certifi- 
cate. 

Offering protocol: To offer the attribute value, the user sends the distribu- 
tor the user’s group signature on a random message. The distributor can 
check the correctness of the attribute value by verifying the signature. The 
distributor collects signatures of users. 

Generating protocol: To obtain the statistical result of the attribute type, 
the distributor sends the trustees the received signatures. Each signature 
includes the ciphertext of the attribute index, that is Enc{f{x)). The trustees 
cooperatively shuffle the ciphertexts. After that, for each ciphertext, the 
following steps are executed. 
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1 . The trustees cooperatively shuffle all registered attribute indices, where 
the indices are randomized by the same random factor while the cipher- 
text is randomized by the same factor. 

2 . The quorum of trustees decrypts the randomized ciphertext to make the 
decrypted value correspondent with a randomized attribute index, which 
indicates only the attribute value, not the attribute index itself. 

By counting the attribute values made correspondent with all ciphertexts, 
the statistical result is computed. In this protocol, furthermore, the correct- 
ness of the shuffles and decryption are proved with zero-knowledge. 

The correctness of this system is satisfied as follows: The SPK in the group 
signature assures that the signature includes the ciphertext of the attribute 
index. The correspondence between the attribute index and the attribute value 
is assured by the attribute authority through the digital signature. Furthermore, 
the proofs of the shuffles and decryption assure that the statistical result is 
correctly computed from the ciphertexts. 

The anonymity is satisfied as follows: Since the group signature is anonymous, 
the transcript of the offering protocol is anonymous. In the generating protocol, 
the ciphertexts are shuffled, and are made correspondent to the attribute values, 
from which anyone can compute only statistical result. Furthermore, proving the 
correctness of the shuffles and decryption reveals no information. 



5 An Anonymous Statistical Survey System of Attributes 

In this section, the detailed protocols are described. For the simplicity of de- 
scription, assume that there are two attribute types, A and B. Let 17 be a user, 
and let D he a, distributor. Let AA be the attribute authority. Let Ti, . . . , be 
the trustees. 

Assume that the communication between the participants is authenticated 
(e.g., by the digital signature) except the offering protocol. Let 0 be the empty 
string. If S' is a set, e Gr S means that e is chosen at random from S according 
to the uniform distribution. 



5.1 Setup Protocol 

In this protocol, AA and trustees Ti, . . . , generate the secret and public keys. 

1 . AA computes an RSA modulus n, two public exponents ei, C2 > 1 , and two 
integers /i,/2 > 1 - Note that ei,e2,/i and /2 must satisfy that solving the 
congruence fix^^ + f 2 = (mod n) is infeasible. The choices for ei, 62, /i 
and /2 are discussed in |2j. AA chooses a cyclic group G of order n. Then, AA 
chooses bases gA,gB,h G G in which it is infeasible to compute and compare 
the discrete logarithms. AA’s public key is (n, Ci, 62, /i, /2, G, gA, ffs, h), and 
the secret key is the factorization of n. 



466 



Toru Nakanishi and Yuji Sugiyama 



2. The trustees cooperatively generate their secret keys and the public key, 
where a secret key xt are shared with the trustees by Shamir’s 

threshold scheme. Then, they publish yx = as the trustees’ public key. 
Note that the normal (threshold) ElGamal encryption is constructed on a 
multiplicative subgroup of order prime q in Z* such that p = 2q + 1, while 
the encryption in this system is constructed on a cyclic group of order n that 
is the RSA modulus, since the underlying group signature scheme uses 
the encryption. 



5.2 Registration Protocol 

When a user U participates in this system, U is issued the attribute certificate 
from AA by this protocol, which is similar to the registration of the original 
group signature scheme. Assume that AA is convinced of C/’s attribute values. 

1. U chooses X Gr Z* to compute y = x^^ (mod n), 2 ^ = g\ and zr = Pb- 
Then, U chooses r Gr Z^ to compute y = + / 2 ) (mod n) and the 

following SPKs: 



Vi = SPK{a:zA=9^"m, 

V 2 = SPK{P : g\ = 

Vs = SPK{j :zA = glAzB = g^}( 6 ). 

Note that Vi and V 2 are the same as the original. V 3 proves the correctness 
of Zyi and zb- 

U sends {y, za, zb,Vi,V 2 ,Vs) to AA. 

2. It Vi,V 2 and V 3 are correct, AA sends v = y^^^^ (mod n) to U. 

3. U computes v = v/r (mod n) to obtain the attribute certificate (x,v), 

where v = {fix‘^^ + (mod n). This is the same as the membership 

certificate of the original. 

After the registration, AA publishes (zA,a), where a is C/’s value on the 
attribute type A. Similarly, A A publishes (zB,b), where b is C/’s value on the 
attribute type B. The values za and zb are the attribute indices. 



5.3 Offering Protocol 

U offers the encrypted attribute indices by the following offering protocol. D 
collects the encrypted attribute indices of users. 

1 . D sends a random message m to U. 

2. U computes Cia = y^g\ and C2A = for ta Gr Z^, and computes 

CiB = Ur^gB for tb Gr Z^. Note that (Cia,C2a) and 
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(CiB, C 2 b) are the ElGamal encryptions for za and zb with the public key 
Ut- Furthermore, to prove their validity, U computes the following SPKs: 

= SPK{{a,P) : '}(m), 

V 2 = SPK{{^,S) : = y^TK^n), 

V3 = SPK{{e,C,rj):C,A = y^T9i 
AC 2 A = A CiB = VT9B 
AC 2 B = h'^}{m). 

Note that Vi and V 2 prove that the user knows the attribute certificate (a;, u), 
which is similar to the proof of the knowledge of the membership certificate 
in the original group signature scheme. 

U sends D{Cia, C 2 A , Cis , C 2 B , V 3 ) . 

3. D verifies its correctness by checking Fi, V 2 and V 3 . 

5.4 Generating Protocol 

Assume that D collects u transcripts of offering protocol. Note that u should be 
large to some degree. By the following generating protocol, the trustees Ti, ... ,Ti 
cooperatively compute the statistical result of every attribute type from the 
transcripts, while the anonymity of users is kept. For the simplicity of description, 
only the case of the attribute type A is shown, and assume that the values of A 
are a and a' . The public lists of the attribute indices za registered by all users 
with the value a and a' are denoted as Pa = (zi , . . . , zjv) and Pa> = (z {, . . . , z'jy,), 
respectively. 

1. D sends the trustees u transcripts of offering protocol. 

2. Fach Ti verifies V\, V 2 and V 3 in the transcripts, and rejects if they are not 
valid. The ciphertexts {Cia,C 2 a) in u transcripts are numbered as L = 

{{Cia,C 2 ,i),.^..ACi.u,C 2 ,u)}- 

3. For the list L, Ti,...,Ti cooperatively shuffle the list to output the list 
L = {{CiA,C 2 ,i), ..., (Gi.u, G 2 ,«)} by using the shuffle protocol |3|. Note 
that this shuffle makes the ciphertexts in the original list unlinkable to the 
attribute values, which are correspondent with the ciphertexts in the shuffled 
list. Then, the trustees cooperatively prove to D the correctness of the shuffle 
by the proof protocol 0. 

4. For every ciphertext (Ci^k,C 2 ,k) {1 < k < u) in L, Ti, . . . ,Ti cooperatively 
execute the following sub-steps: 

(a) The trustees cooperatively shuffle the public lists Pa and Pa' by using a 
same random factor while the ciphertext (Gi,fe, C' 2 ,fc) is also randomized 
by the factor. The concrete protocol SHUFFLF-SAMF-RAND is shown 
afterward. The outputs of SHUFFLF-SAMF-RAND are denoted as Pa = 
(ii, . . . , zn), Pa' = (z'l, ..., z'n') and C' 2 ,fe)- After this protocol, 

the following relations are satisfied: 
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Zj = 4(j) for all l<j<N, 
z'ji = foi' fol 1 < / < 

Ci,k = Cyfe-and 

C2,k = Clfe, 

for random permutations 7r,7r', and t Gr Z*. Furthermore, the trustees 
cooperatively prove to D the correctness of the SHUFFLE-SAME-RAND 
by the protocol SHUFFLE-SAME-RAND-PROOF, which is also shown 
afterward. 

(b) For the output of SHUFFLE-SAME-RAND 4 = {zi,...,zn), Pa' = 
(z'l, . . . , zV') and {Ci,k, C 2 ,k), a quorum of the trustees cooperatively 
decrypts the ciphertext by i = Cik / C^k ■ Furthermore, the trustees coop- 
eratively prove to D the correctness. Their concrete protocols are shown 
in P|. Note that, if the attribute index z is encrypted into C 2 ,fc), 

z should equal z*, which is in or Pa'. Therefore, if z is in list Pa, 
the ciphertext (Ci^k,C 2 ,k) is proved out to be correspondent with the 
attribute value a. Otherwise, it is proved out to be correspondent with 
the value o'. 

5. D obtains the statistical result of the attribute type A by calculating the 
numbers of all attribute values which are correspondent with all ciphertexts 
in the shuffle list L. 

Next, the protocol SHUFFLE-SAME-RAND is concretely shown. 

SHUFFLE-SAME-RAND: In this protocol, for inputs Pa = {zi , . . . , zat). Pa' = 
(z'l, . . . , z'iv') and (Ci^k,C 2 ,k), the trustees cooperatively output Pa = 
(zi, . . . ,zat). Pa' = (z'i,...,zV') and (Cpfe, C 2 ,fc) such that 

Zj = z^j) for all 1 < j < iv, 
z'j' = for all 1 < j' < 

Oi,fe = Cl j., and 
C2,k = 

for random permutations tt, tt', and t Gr Z*. 

The task of each trustee is as follows. Trustee Ti receives two lists 
(zi_iq, . . . , Zi_i,7v) and (z'_i,d • ■ • > and two values and Fi-i, 

where zo,i = zi,...,zo,at = zn,z'q.^ = z[, . . . , z'^j,^, = z'jy,,Eo = Ci^k and 
Fo = C 2 ,k- Ti chooses two random permutations and and a random 
factor ti Gr Z*. Then, Ti computes 

Zi,j = 4-i,7ViU) fo>^ all l<j<N, 
zP, = for all l<j'<N', 

Ei = P-in and 

F. — 

~ ^i-1' 
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TiS output consists of . . . , (z' , z' Ei and Fi. The next 

trustee works in the same way, and the process continues up to T^. The 
output of this protocol consists of Pa = (ii = ze^i, . . . , = ze^j^), Pa' = 

(z'l = z'f ^^^, . . . , z'n> = 2^, AT/) and {Cik = Ee, C 2 k = Pi)- ^ 

For above random permutations and tt' and factors U, t = ^ = 

TTi ■ ■ - TTi and tt' = tt[ ■ ■ ■ TTf^ should hold. 

The following protocol is SHUFFLE-SAME-RAND-PROOF, which is de- 
rived from the shuffle proof protocol in P). 

SHUFFLE-SAME-RAND-PROOF: In this protocol, the trustees cooperatively 
prove that they honestly conduct the protocol SHUFFLE-SAME-RAND. 
The trustees cooperatively conduct the followings a times, which indicates 
the error probability 1/2'^. 

1. Ti receives . . . , and . . . , z'i-i^N'), and two values 

Ei-i and Fi_i, where Zo.i = ^i, ■ • ■ , ^o.at = zat, z'o,i = z[, . . . , z'o.w' = 
z'pf,,Eo = Ci^k and Fq = C 2 ,k- Ti chooses two random permutations Xi 
and A' and a random factor Si Gr Z*. Then, Ti computes 

Zi,j = 

z\j' = for all 1 < / < N\ 

Ei = EiX 1 , and 
P- — 

Ti sends (zi,i, . . . , Zi^jsi), {z'i,i, ■ ■ ■ , z'i^N'), Ei and Fi to the next trustee 
Ti+i. The last trustee sends (zr,i, . . . , z^.at), , z' Eg and Ei 

to D and all trustees. 

2. D sends cGr {0,1} to all trustees. 

3. If c = 0, each Ti computes a commitment bi = BC(i, Xi, A{, Si) and dis- 
tributes the commitment to D and all trustees, where BC is a bit com- 
mitment scheme. After all commitments are distributed, each Ti opens 
his commitment by revealing Xi, A' and Si. The last trustee Ti computes 
A = Ai • • • A^, A' = A} • • • A} and s = rii=i (mod n). Every trustee 
verifies that all commitments. A, X' and s are correctly made. If this 
verification fails, this protocol stops. 

If c = 1, each Ti computes (fi = 7r“^</Ji_iAi, = tt'~ </9(_iA' and 

Wi = Wi-iSijti (mod n), where (po,^Q are the identity permutations 
and Wo = 1 (mod n). The last Ti sends (p = ipi,(p' = (p'^ and w = Wi to 
D and the other trustees. 

4. D and each trustee verify that, if c = 0, 

= ^\U) foi' aU 1 < j < A^, 
z^'Xj' = fo’' 1 < / < E', 

El = Cl ki 

h = 
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and if c = 1, 

z’e,3' = ^C'(i') ^<f<N', 

Ei = C'l"fe,and 

h = Clk- 

□ 



6 Discussion 



Before the satisfaction of the requirements is discussed, two lemmas are shown. 
The following lemma for the protocol SHUFFLE-SAME-RAND holds, since it 
is infeasible to determine the sameness of the discrete logarithms. 

Lemma 1. Given all ^ij’’ adversary can de- 

termine TTi{j) for any j or Tr'(j') for any j' with non-negligibly better probability. 

The next lemma shows the security of SHUFFLE-SAME-RAND-PROOF. 
The proof of this lemma is similar to that of the shuffle proof protocol in 0. 
The sketch of the proof is shown in the appendix. 

Lemma 2. SHUFFLE-SAME-RAND-PROOF is a honest verifier zero-knowl- 
edge proof of knowledge. 



Now, we discuss that the proposed system satisfies the requirements in Sec- 
tion 2. For the simplicity, only the case of the attribute type A is shown. 

Correctness: Owing to the soundness of SPKs Vi, V 2 and V3, and the protec- 
tion of the replay attack that is brought by the use of the random message 
m, it is assured that the user knows the attribute certificate (x, v) such that 
the ciphertext {Cia,C2a) is encrypted from za = g\^ ■ Owing to the un- 
forgeability of (x, v) and the soundness of SPKs Ui, V2 and V3, it is assured 
that the user, in advance, registered za, which is published with the genuine 
attribute value a. Therefore, the user can offer only the ciphertext of za 
correspondent with a. 

The remain is to show that, in the generating protocol, the ciphertext 
{Cia,C2a) is revealed as only the genuine attribute value a. After the list 
of the ciphertexts is shuffled, let (01^,02.4) be the permuted ciphertext of 
{Cia,C2a)- Then, since both ciphertexts can be decrypted into the same 
plaintext, the following is satisfied. 

Cia/C^X = Cia/C^X- 



In Step 4-(a) of the protocol, all users’ za with the attribute value a, which 
are denoted Zj, are transformed into for trustees’ random permutation 
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7T and random factor t, and (C'ia,(? 2 a) is also transformed into {C\a = 
CIj^,C 2 A = C^a)- Then, the decrypted value i; satisfies the following: 

i = C,a/C^2A 

= C\aI{C\j,T^ 

= {C^AlClir 
= {CrAlCll)^ 

= A- 

Since the value z\ should be in the list Pa of the ciphertext 

(CiA, C2 a) is made correspondent with the genuine value a. Thus, the orig- 
inal ciphertext {C\a, C2a) is revealed as only the genuine attribute value a. 
Therefore, the correctness of the statistical result is assured. 

Anonymity: In the proposed protocols, since the SPKs and PKs release no 
information on secrets, they are ignored in the following discussion. Similarly, 
the blinded message y is ignored. Furthermore, note that the ciphertext of 
the ElGamal encryption does not also release the information on secrets, but 
it should be only discussed that the ciphertext itself appears in both offering 
and generating protocols. 

The first discussion is to trace the owner’s identity from the transcript of 
the offering protocol. This is possible if the transcript is linked to each at- 
tribute index 2 ; of which AA knows the owner. In the generating protocol, 
the transcript is not directly linked to z, but z* for a random factor t. In 
addition, the correspondence of z* with z is concealed through the permuta- 
tion and randomization, which is shown in Lemma 1. Therefore, the tracing 
is infeasible. 

The second is to link between the transcripts w.r.t. the sameness of the 
owner. This is possible if the attribute indices z and z' of the transcripts are 
linkable. However, the transcripts are only linked to z* and z'* for different 
random factors t and t' . And, given z* and z'* , it is infeasible to determine 
the sameness of z and z' since it is infeasible to determine the sameness of 
the discrete logarithms. Thus, the link between the transcripts is infeasible. 
The final is to link from the transcript to the attribute value. In the gener- 
ating protocol, though it is proved that the transcript is correspondent with 
something of the attribute values, the corresponding value itself is unknown 
owing the shuffle protocol in Step 3 of the generating protocol. Furthermore, 
as stated above, it is infeasible to link the transcript to the attribute index. 
Therefore, this link is also infeasible. 

7 Conclusion 

In this paper, a statistical survey system of attributes is proposed, where both 
correctness and anonymity are satisfied. Though the complexity of users’ offering 
their attributes is comparable to the practical group signature | 2 | , the complexity 
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of the trustees’ proving the correctness is proportional to the number of all users. 
This implies the inefficiency when many users join the system in order to obtain 
the attributes of many users. Thus, our future work is to propose the system 
overcoming the inefficiency. 
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Appendix: Sketch of Proof of Lemma 2 

In this appendix, the sketch of the proof of Lemma 2 is shown. 

Lemma 2. SHUFFLE-SAME-RAND-PROOF is a honest verifier zero-knowl- 
edge proof of knowledge. 

Sketch of proof. The completeness holds as follows. In the case of c = 0, it is 
clear that the verification equations are satisfied if trustees compute the correct 
values. In the case of c = 1, 



- ^\(j ) : 

for A = Ai • • • Af and s = rii=i (mod n). On the other hand, from Zj = 

ip = • • • TTf^Ai = 7T“U and w = nf=i Si/ti = (OLl S*)/(nLl = 

s/t (mod n), 

= ( 4 . 0 -))“' 

= 4(i)- 
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Thus, 



~ 'W 

- ^vU) ■ 

Similarly, other verification equations of c = 1 are satisfied if the trustees com- 
pute the correct values. 

Next, the soundness is proved as follows. Assume that the trustees correctly 
answer both c = 0 and c — 1 cases for the same A, A' and , z^^n), 

{z'e^i, . . . , z'i^N’), Ei and F^. Then, by using ip and A, one can extract tt as 
= A(7t“^A)“^ = TT. Similarly, tt' is extracted. Furthermore, by using s and 
w, one can extract t as s/w = s/{s/t) = t (mod n). Though it is complex 
to extract the knowledge of the individual trustee, it can be extracted by the 
similar way to Pj. 

Finally, to prove the zero-knowledge, i simulators Si, . . . ,Si are constructed 
as well as Pj. First, the simulators cooperatively choose c Gr {0, 1}. If c = 0, they 
honestly conduct the protocol. They can accomplish it, since the knowledge is 
not needed in this case. If c = 1, each simulator Si chooses fake permutations A^ 
and A' and a fake factor Si Gr Z*. Then, the simulators except the last simulator 
Se honestly obey the protocol. In Step 1, the last simulator Si computes 

zej = for all I < j < N, 

1 < j' < N', 

Ei = Cl%, and 
Fi = 

and sends them to D and all simulators. In Step 3, Si sends D and all simulators 
p = Xi, p' = A^ and w = si, which satisfy the verification equations of Step 4. 
The views of the simulators and trustees (in the real protocol) are indistinguish- 
able except the £-th party in the case of c = 1, since they honestly obey the 
protocol. Consider Ti and Si in the case of c = 1. In Step 1, of Ti is the 
form for a random factor R Gr Z*, since the original Zj is the form and it 
is raised to the power Si Gr Z*. On the other hand, from the same reason, Zj 
is also the form, and so is Zij of Si. Thus, the distributions of Zij of Ti and 
Si are the same. It similarly holds for the other values in Step 1. In Step 3, the 
values w of Ti and Si distribute uniformly on Z* and so do the permutations 
p, p' . Therefore, the views of them are also indistinguishable. 

□ 
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Abstract. It is expected that mobile agent will be widely used for elec- 
tronic commerce as an important key technology. If a mobile agent can 
sign a message in a remote server on behalf of a customer without ex- 
posing his/her private key, it can be used not only to search for special 
products or services, but also to make a contract with a remote server. To 
construct mobile agents, IKBCQQj used an RSA-based undetachable sig- 
nature scheme, but it does not provide server’s non-repudiation because 
the undetachable signature does not contain server’s signature. 

Mobile agent is a very good application example of proxy signature, 
and the undetachable signature can be considered as an example of 
proxy signature. In this paper we show that secure mobile agent can be 
constructed using strong non-designated proxy signature ILKKOll which 
represents both the original signer’s (customer) and the proxy signer’s 
(remote server) signatures. We provide RSA-based and Schnorr-based 
constructions of secure mobile agent, and moreover we show that the 
Schnorr-based scheme can be used very efficiently in multi-proxy mobile 
agent situation. 

Keywords. Secure mobile agent, strong non-designated proxy signature, 
multi-proxy signature. 



1 Introduction 

1.1 Mobile Agent 

Mobile agents |ECS96l[rKn^llWmH| are autonomous software entities that are 
able to migrate across different execution environments through network. The 
characteristics of mobile agents, mobility and autonomy, make them ideal for 

* This work was done when she was with ICU. 
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electronic commerce applications because permanent connections between cus- 
tomers and servers are unnecessary and low-bandwidth connections and asyn- 
chronous communications are possible. Furthermore, they provide better support 
for heterogeneous environments. Mobile agents can be used for electronic com- 
merce in many ways; search and buy special products or services on behalf of a 
customer, negotiate something with other entities, and sell products on behalf 
of a shopping mall server. 

We consider a scenario that a mobile agent is ordered to search the price 
of a flight ticket and book it on behalf of a customer. If the mobile agent finds 
a proper bid presented by a server, the mobile agent will book it by digitally 
signing the server’s bid and the customer’s requirement with both customer’s 
and server’s keys. To make it possible, the mobile agent must carry in any form 
the customer’s private key and compute with it. 

However, mobile agents are vulnerable to several attacks, particularly by 
malicious hosts. Fundamental problems of executing mobile code in a remote 
host can be listed as follows 

1. Code and execution integrity: Can a mobile agent protect itself against tam- 
pering by a malicious server? 

2. Code privacy: Can a mobile agent conceal the program it wants to have 
executed? 

3. Computing with secrets in public: Can a mobile agent remotely sign a doc- 
ument without disclosing user’s private key? 

There have been extensive researches to solve these problems. A reasonable 
and practical approach is to provide software-based mechanism to prevent any 
kind of vulnerability actively. Implementing any kind of secure function in mobile 
agent is difficult because all the code and data of mobile agent are exposed 
to remote server. One of the best ways to conceal customer’s private key and 
keep the integrity of mobile code is to use cryptographic hard problems such 
as integer factorization problem or discrete logarithm problem. Undetachable 
signature scheme is an example. 

1.2 Undetachable Signature Scheme 

FISZj introduced the concept of Computing with Encrypted Function (CEF) 
which tried to conceal the signature function by composing it with encryption 
function. jEE iOOj implemented CEF using an RSA-based undetachable signa- 
ture scheme. The customer signs his requirement information using RSA signa- 
ture and builds up an encrypted signature function, and then gives it to mobile 
agent. Then the server can generate customer’s signature on the bid information 
on behalf of the customer. Customer’s private key is hidden in the encrypted 
signature function and its secrecy is based on the RSA assumption. 

Although the undetachable signature scheme of [KBCOOj hides customer’s 
private key successfully, it does not provide the fairness of contract. The basic 
requirement of fair contract is non-repudiations of both parties. The undetach- 
able signature represents only customer’s signature and it can be computed by 
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any party, so the server can repudiate his signature generation later. After the 
booking process of the flight ticket is finished with customer’s payment, the 
server can repudiate his signature generation and refuse to deliver the flight 
ticket. 

A simple solution for this problem is that the server signs his final messages 
before giving them to the mobile agent, but this is not a neat solution. In Section 
4, we propose an efficient strong proxy signature scheme which represents both 
the customer’s and the server’s signatures providing the fairness of contract. 

The basic concept of undetachable signature scheme is very similar to the 
delegation of customer’s signing capability to unspecified proxy signers. Hereafter 
we review proxy signature schemes briefly. 



1.3 Proxy Signature 



Proxy signature is a signature scheme that an original signer delegates his/her 
signing capability to a proxy signer, and then the proxy signer creates a signature 
on behalf of the original signer. When a receiver verifies a proxy signature, he 
verifies the signature itself and original signer’s delegation together. The basic 
methodology of proxy signature is that the original signer creates a signature 
on delegation information (ID of the proxy signer, or any warrant information) 
and gives it secretly to the proxy signer, and then the proxy signer uses it to 
generate a proxy key pair. Because the proxy key pair is generated using origi- 
nal signer’s signature on delegation information, any verifier can check original 
signer’s agreement from a proxy signature. 

[IMlJ096j firstly introduced the concept of proxy signature. They classified 
proxy signatures based on delegation type as full delegation (giving the origi- 
nal signer’s private key itself), partial delegation (issuing a new key pair), and 
delegation by warrant (issuing a certificate stating the delegation information). 
Partial delegation is further classified as proxy-unprotected and proxy-protected 
according to protection of proxy signer. They provided various constructions of 
proxy signature schemes and their security analysis. llkPW97l extended them 
by using Schnorr signature and including warrant information in partial delega- 
tion schemes (partial delegation with warrant) . [LKKOH provided several attacks 
against previous proxy signature schemes and introduced the concept of strong 
proxy signatures which represent both original signer’s and proxy signer’s signa- 
tures. They also introduced the concept of strong non-designated proxy signature 
where the original signer does not specify proxy signers in the delegation stage. 
It is useful when proxy signers cannot be determined in the delegation stage. 

Mobile agent is one of the best application areas of proxy signature scheme, 
because the original signer (customer) has to delegate his/her signing capability 
to the mobile agent (and to the server) for it to execute any authentic operation 
on behalf of the original signer. pKBLI 



LKOlj applied proxy signature scheme to 
mobile agent and introduced one-time proxy signature to guarantee one-timeness 
of signature generation. [K)ST\ 



IMfll I considered multi-proxy situation where plural 
customers delegate their signing capabilities to a mobile agent and proposed 
an efficient mobile agent scheme. Multi-proxy signature is also considered in 
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| fYBX00( . But [OSMOll and | |YBX00| have used weak version of proxy signature, 
so they cannot provide non-repudiation of the server. 



1.4 Our Contribution 

To provide strong undeni ability, i.e., non-repudiation of the server, we construct 
Secure Mobile Agent (SMA) using the Strong Non-designated Proxy Signature 
(SNPS) |TjKKfl1 j . We provide two implementation examples of SMA. Firstly, 
we construct RSA-based SMA which is an extension of IKBCOdI and show that 
it satisfies all the requirements of SNPS. Secondly, we construct Schnorr-based 
SMA using |LKK() 11 IKBLKOl] and show that it also satisfies all the requirements 
of SNPS. Moreover, we show that the Schnorr-based SNPS can be used very 
efficiently in multi-proxy situation providing efficiency in communication and 
computation. 

In Section 2, we describe SNPS briefly with its security requirements. In Sec- 
tions 3 and 4, we construct Schnorr-based SMA and RSA-based SMA, respec- 
tively. In Section 5, we describe multi-proxy SMA using multi-proxy signature. 
Finally, we conclude in Section 6. 



2 Strong Non-designated Proxy Signatnre 

P^KKOl’j has shown several attacks against previous proxy signature schemes 
^VIUU96I ™71 |KPW97| . There are possibilities of proxy signer’s repudiation 
or misuse of the proxy key pair. They classified proxy signatures as strong and 
weak ones. Strong proxy signatures represent both original signer’s and proxy 
signer’s signatures, while weak ones represent only original signer’s signature. 
In real situation, assuming the trustedness of original signer or proxy signer is 
difficult, specially in distributed environment as mobile agent. So weak versions 
of proxy signature cannot be used. If the proxy signature scheme is strong, it 
can be used without designating the proxy signer in delegation stage. We define 
the Strong Non-designated Proxy Signature (SNPS) as follows. 

Definition 1 (Strong Non-designated Proxy Signature). Let A be an 

original signer who has authentic key pair (skA,pkA) and B be a proxy signer 
who has authentic key pair (skB,pkB)- Let niw be A’s warrant information for 
the delegation which does not specify a proxy signer. Let a a = S{skA, rnw) be A ’s 
signature on warrant using her private key sLa ■ Then SNPS is constructed 
as the following three algorithms {VK,Q^VS,VV). 

— VK.Q is a proxy key issuing algorithm that takes original signer’s signa- 
ture a A and proxy signer’s private key skB and outputs a proxy key pair 
(skp,pkp). Lt is executed by the proxy signer. 



(skp,pkp) ^ VICg{aA, skp). 
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— VS is a proxy signing algorithm that takes proxy private key skp and message 
m and outputs proxy signature ap. It is executed by the proxy signer. 

Up ^ VS{skp,m). 

— W is a proxy verification algorithm that takes (up,m,mw,pkA,pkB) and 
outputs either accept or reject. It is executed by any verifier. 

7 

W{up,m,m^,pkA,pkB) = accept or reject. 

SNPS should satisfy the following security requirements IhK Klllf 

Rl. Verifiability: From a proxy signature a verifier can be convinced of the orig- 
inal signer’s agreement on the signed message. 

R2. Strong unforgeability: A proxy signer can create a valid proxy signature for 
the original signer. But the original signer and any third party cannot create 
a valid proxy signature with the name of proxy signer. 

R3. Strong identifiability: Anyone can determine the identity of the corresponding 
proxy signer from a proxy signature. 

Rf. Strong undeniability: Once a proxy signer creates a valid proxy signature on 
behalf of an original signer, the proxy signer cannot repudiate his signature 
creation against anyone. 

R5. Prevention of misuse: It should be confident that proxy key pair cannot be 
used for other purposes. In the case of misuse, the responsibility of proxy 
signer should be determined explicitly. 

A proxy signature represents both the original signer’s signature (by Rl) and 
the proxy signer’s signature (by R2, R3, and R4). Requirement R5 guarantees 
that the proxy key pair cannot be used for other purposes. 

In mobile agent environment, the customer (original signer) cannot deter- 
mine a proper server (proxy signer) in the delegation stage who will suggest a 
conforming bid. In this case mobile agent has the role of transferring customer’s 
delegation information to possible proxy signers. To provide fairness of contract, 
proxy signature scheme should contain proxy signer’s signature together with 
original signer’s agreement. Therefore, SNPS is a perfect solution to construct 
SMA. 

Because SNPS represents both the original signer’s and the proxy signer’s 
signatures, it can be considered as an efficient integration scheme of two related 
signatures. As stated in (MlJOhbj and jKPW97] . partially delegated proxy signa- 
ture is more efficient than that of delegation by warrant which is represented by 
two signatures. We will discuss the efficiency issue of proxy signatures in more 
detail in Section 5. 

3 Schnorr-Based SMA 



We apply the SNPS of [I^KKOIj to mobile agent situation. Firstly we review 
Schnorr signature briefly. Let p and q be large primes with q\p — 1. Let 5 be a 
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generator of a multiplicative subgroup of Z* with order q. h{) denotes a collision 
resistant cryptographic hash function. Assume that a signer A has a private key 
xa and the corresponding public key da = ■ To sign a message m, A chooses 

a random number k Gu Z* and computes r = g^, s = XAh{m,r) + k. Then 
the tuple (m, r, s) becomes a valid signed message. The validity of signature is 
verified by g"^ = ’ r. Note that the verification of signature requires two 

modular exponentiations. 

Let A be a customer who has an authentic key pair {xa,Va) and B be a 
server who has also an authentic key pair {xbtVb)- Let ID a and IDb denote 
the identities of A and B, respectively. Let reqA be A’s requirement for a pur- 
chase (any necessary information such as price range, date, delivery requirement, 
etc) and bidB be B’s bid information which conforms to reqA- 

Preparing the agent (by the customer A)-. 

A chooses a random number Ia Gr Z* and computes ta = g^^, = 

XAh{reqA,TA) + kA- The tuple {reqA,rA,SA) is A’s Schnorr signature on reqA- 
A gives (reqA,rA, sa) to the mobile agent. Note that A does not specify any 
server in this stage. Mobile agent will migrate to servers through the network. 

Executing the agent (by the server B): 

B gets the mobile agent and tries to sell the product to A. 

— B verifies the validity of the mobile agent by checking g^^ = 

— B generates a secure proxy key pair as 



I xp hireqAXA) 

xp = SA + XB, yp = g’^=yj^ rAyp- 

— B generates a bid information bidp which conforms to reqA- He signs m = 
{IDA,reqA,IDB,bidB,rA) with the proxy private key xp to generate ap = 
S{xp,m) using the Schnorr signature scheme S'(). He gives the following 
messages to the agent. 



{IDA,reqA,IDB,bidB,rA,(Tp)- 



The mobile agent will get back to A with these messages as a receipt for her 
purchase. 

Verifying the signature (by anyone): 

When A receives {IDA,reqA,IDB,bidB,rA,crp) from the mobile agent, she 
can verify the validity of her purchase as follows: 

1) Verify the signature by V{yp,m,ap) = true where yp = rAyp 

and m = {ID a, reqA, IDp, bidp, rA)- 

? 

2) Verify the conformance of bid: bidp G {reqA}- 
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If the signature verification holds, it represents both the validity of signature 
itself and the authenticity of customer’s delegation. 

We show that the proposed Schnorr-based SMA satisfies all the security 
requirements of SNPS. 

Theorem 1. The proposed Schnorr-based SNPS is as secure as the Schnorr 
signature scheme. 

Proof. We consider two attack scenarios; the first case is that A tries to forge 
a SNPS with the name of B without B’s agreement, and the second case is 
that B tries to forge a SNPS without A’s delegation. Let crp = (r, s) be a valid 
Schnorr-based SNPS for the message m = {ID a, reqA, IDp, bids, r a) generated 
by using the proxy private key xp where r = for a random number k Gp Z* 
and s = xph{m,r) -\- k. Note that xp is not known to A and B in both attack 
scenarios. 

1. Forgery by A-. Assume that there is a SNPS breaker (oracle) which takes 

(m, k) and A’s delegation as input and outputs a valid proxy signature (up, xa) 
which satisfies the verification equation. An attacker A chooses a random number 
k and computes r = g^ . She gives (m, k) and her delegation s' = XAh{reqA, xa) + 
kA to the SNPS breaker, then it will output a valid SNPS (crp, xa) which satisfies 
the verification equation g" = Because of the group 

property of discrete logarithm problem, 

s = (xAh{reqA,rA) kA + XB)h{m, r) k 
= {s' XB)h{m, r) k 

should hold. Then A can compute 

XBh{m, r) k = s — s'h{m, r) 

which is B’s Schnorr signature on the message m. Using the SNPS breaker, A 
can forge B’s Schnorr signature without knowing xp. 

2. Forgery by B: Assume that there is a SNPS breaker which takes 

{m,reqA,k) as input and outputs a valid proxy signature {ap,XA) which sat- 
isfies the verification equation. An attacker B chooses a random number k 
and computes r = g^. He gives {m,reqA, k) to the SNPS breaker, then it will 
output a valid SNPS {up^xa) which satisfies the verification equation g® = 

Because of the group property of discrete logarithm 

problem, 

s = {xAh{reqA,XA) kA + XB)h{m, r) k 
should hold. Then B can compute 

XAh{reqA,rA) kA = {s - k)/h{m,r) - xp 

which is A’s Schnorr signature on reqA. Using the SNPS breaker, B can forge 
A’s Schnorr signature without knowing xa. 

Therefore the proposed Schnorr-based SNPS is as secure as the Schnorr sig- 
nature scheme. □ 
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From Theorem 0 the proposed Schnorr-based SMA satisfies all the security 
requirements of SNPS. 

(i) Verifiability: A’s agreement on reqA is included in yp. If the proxy signature 
is verified to be valid, A’s agreement is also verified explicitly. 

(ii) Strong un forgeability: Anyone except the proxy signer B cannot generate a 
valid proxy key pair under the name of B because it contains proxy signer’s 
private key xp- Only the legitimate proxy signer can create a valid proxy 
signature. 

(iii) Strong identifiability: Identity information of the proxy signer B is included 
explicitly in a valid proxy signature as a form of public key yp- So anyone 
can determine the identity of the corresponding proxy signer. 

(iv) Strong undeniability: Once the proxy signer B creates a valid proxy sig- 
nature, he cannot repudiate it because the proxy key pair can be computed 
only by himself. 

(v) Prevention of misuse: If the proxy signer B uses the proxy key pair for 
other purposes that are not specified in reqA, it is his responsibility because 
he is the only person who can generate it. 



4 RSA-Based SMA 

In this Section, we propose an RSA-based SNPS scheme and apply it to construct 
SMA. It is an extension of IkfiOfiOl scheme to include proxy signer’s signature. 

To generate RSA keys, each participant selects a modulus n which is the 
product of two large primes p, q and a number e, such that 1 < e < p{n) = 
(p — l)(g — 1) and gcd(e, p{n)) = 1. Let d be such that de = 1 mod p{n). Let 
h{) denote collision resistant cryptographic hash function. 

Let A be a customer who has an authentic RSA key (ua, SA,dA) and i? be a 
server who has an authentic RSA key {np,ep,dp). Let ID a and IDp denote the 
identities of A and B, respectively. Let reqA be A’s requirement for a purchase 
(any necessary information such as price range, date, delivery requirement, etc) 
and bidp be B's bid information which conforms to reqA- 

Preparing the agent (by the customer A): 

A computes k — h{IDA,reqAY^ mod ua which is her RSA signature on 
{ID A, reqA)- She gives {ID a, reqA, k) to the mobile agent. Note that A does 
not specify any server (proxy signer) in this stage. Mobile agent will migrate to 
servers through the network. 

Executing the agent (by the server B): 

B gets the mobile agent and tries to sell the product to A. 

— B verifies the validity of the mobile agent by checking 



mod UA = h{ID A,reqA)- 
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— B generates a bid information bids which conforms to reqA and computes 

X = h{IDA, reqA, IDb, bidsY'^ mod ub 

which is B's RSA signature on {IDA,reqA, IDB,bidB)- 

— B computes y = h{IDA,reqAY mod ua and z = mod ua- He gives 
following messages to the mobile agent. 

{I Da, reqA ,IDb, bidB ,x,y,z). 

The mobile agent will get back to A with these messages as a receipt for her 
purchase. 

Verifying the signature (by anyone): 

When A receives {ID a, reqA, IDb, bidB, x,y, z) from the mobile agent, she 
can verify the validity of her purchase as follows: 

? 

1) Verify B's signature: x®® mod ub = h{I Da, reqA, IDb, bidB)- 

2) Verify the validity oi y. y = h{IDA,reqA)'^ mod riA- 

7 

3) Verify A’s signature: mod riA = y- 

7 

4) Verify the conformance of bid: bidB € {reqA}- 

The proxy signature is valid only when all the verifications above are passed. 

We show that the proposed RSA-based SMA satisfies all the security require- 
ments of SNPS. 

Theorem 2. The proposed RSA-based SNPS is as secure as the RSA signature 
Scheme- 

Proof- We consider two attack scenarios; the first case is that A tries to forge 
a SNPS with the name of B without B’s agreement, and the second case is 
that B tries to forge a SNPS without A’s delegation. Obviously the first at- 
tack cannot happen because a valid SNPS contains x which is B's signature for 
{IDA,reqA, IDb, bidB)- Consider the second attack scenario where B tries to 
forge a SNPS without k- 

Assume that there is a SNPS breaker (oracle) which takes {IDa, reqA, IDb, 
bidB,x) as input and outputs {y,z) which satisfy the verification equations. B 
prepares a warrant reqA and a conforming bid bidB and generates his signature 
X = h{IDA, reqA, IDb, bidB)‘^’^ mod ns. He gives {IDa, reqA, IDb, bidB, x) to 
the SNPS breaker, then it will provide a valid {y, z)- y = h{IDA, reqA)'^ mod ua 
can be verified from the known values {I Da, reqA, x)- To satisfy the third veri- 
fication equation, the following equation should hold. 

0 = mod UA = h{IDA,reqA)^'^^ mod ua- 

Then B can compute 

mod UA = h{IDA,reqA)‘^^ mod ua = k 
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which is A’s RSA signature on message {IDA,reqA)- Using the SNPS breaker, 
B can forge A’s RSA signature without knowing (1a- Therefore the proposed 
RSA-based SNPS is as secure as the RSA signature scheme. □ 

From Theorem 0 the proposed RSA-based SMA satisfies all the security 
requirements of SNPS. 

(i) Verifiability: Original signer’s agreement on the purchase can be verified by 
the third verification equation. 

(ii) Strong un forgeability: Only the proxy signer B can generate a valid signature 
X satisfying the first verification equation. 

(iii) Strong identifiability: Anyone can determine the identity of the correspond- 
ing proxy signer by the first verification equation. 

(iv) Strong undeniability: Once B creates a valid proxy signature which passes 
all the verification equations, he cannot repudiate it later against anyone 
because a valid proxy signature can be generated only by himself. 

(v) Prevention of misuse: k is A’s signature on {IDA,reqA) and it cannot be 
used for other purposes which are not stated in reqA- The proxy signature 
scheme is executed using B’s signature x, so any possible misuse of k is B’s 
responsibility. 



5 Multi-proxy Mobile Agent 



In this Section, we propose an efficient mobile agent scheme when plural cus- 
tomers delegate their signing capabilities to a mobile agent. For example, we 
consider a situation that a mobile agent is ordered to book flight tickets for 
plural customers. Using the Schnorr-based SMA scheme where plural customers 
share the common system parameters p, q, and g, we can build an efficient mobile 
agent. 



[KlSMOlj considered a similar application, but their scheme is based on the 
proxy signature of flVlUUbKj and customer’s requirements are not used. So cus- 
tomers delegate their full signing capabilities to unspecified proxy signers and a 
server can sign any message on behalf of customers. [YBXOOj also proposed proxy 
multi-signature scheme based on |MU()96j . We apply the strong non-designated 
proxy signature jLKKQl] to multi-proxy mobile agent. 



5.1 Multi-proxy Mobile Agent Scheme 

Let Ai (i = 1, ..., n) denote plural customers who have certified key pairs (xi,yi) 
and requirements reqi. They try to delegate their signing capabilities to unspec- 
ified servers through the mobile agent. Let R be a server who has certified key 
pair {xB,ys) and is willing to sell flight tickets to customers. He has to create a 
proxy signature on behalf of {Ai, ..., A„} under requirements {reqi , ..., reqn}- 
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Preparing the agent (by plural customers Ai): 

Plural customers Ai {i = choose random numbers ki Gr Z* and 

compute Vi = g^' , Si = Xih{reqi,ri) + ki. The tuple (reqi,ri, Si) is A^’s Schnorr 
signature on reqi. Ai gives (reqi,ri, Si) to the mobile agent. Mobile agent will 
migrate to servers through the network with this information. 

Executing the agent (by the server B): 

The server B gets the mobile agent and tries to sell the product to customers 

{^1, ..., A„}. 

? 

— B verifies the validity of the delegation information by checking = 
yh{reqi,n)^_ for z = 1 , . . . , n. 

— If this tests have passed, B generates a secure proxy key pair as 

xp = si-\ \-Sn + XB, yp=g'^^. 

— B generates his bid bids which conforms to all reqi (i = l,...n). He signs 
on m = {reqi, ■■■ ,reqn, bids) with the proxy private key xp to generate 
CTp = S{xp,m) using the Schnorr signature scheme S{). The tuple 

{bidB,ap, reqi,ri,yi, ..., reg„, r„, j/„, yB) 
is a valid proxy signature and represents valid flight tickets for {Ai, An}. 



Verifying the signature (by anyone): 

When plural customers receives the tuple from the mobile agent, they can 
verify the validity of their tickets as follows: 

? 

1) Verify the signature by V{yp,m,ap) = true where 

yp = ?/i m = {reqi, ■■■ , reqn, bidB). 

2) Check whether bidB confirms to {reqi, • • • jTeqn}. 

5.2 Comparison with Multiple Signatures 

As stated in |IVI U()9ti] . proxy signature schemes of partial delegation are more 
efficient than those of delegation by warrant. Consider a traditional approach 
of multiple independent signatures that plural customers Ai publish their signa- 
tures {reqi, Ti, Si) and the server B just signs on bidB with his certified key pair 
{xb^Vb)- The proposed multi-proxy signature scheme is more efficient than the 
traditional approach of multiple independent signatures in the following sense. 

— A valid signature can be created by the proxy signer himself without any 
interaction with original signers, while traditional scheme requires n com- 
munications with original signers. 
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— Message size is reduced by n\q\ because (si, Sn) are not necessary in pro- 
posed scheme. 

— Verification of signature is more efficient because proposed scheme requires 
only n+2 exponentiations (one signature verification and n exponentiations) 
while traditional scheme requires 2(n+ 1) exponentiation for n+1 signature 
verifications. Moreover, simultaneous multiple exponentiation with distinct 
bases can be computed very efficiently |MOV97j . 

Proposed scheme can be used in a very flexible way because the server can 
choose different combinations of delegations by himself among n delegations 
depending on the property of his bid. If he has only I < n flight tickets to sell, 
he can sell them only to I customers of his choice. 



6 Conclusion 

We have pointed out the necessity of using SNPS to construct SMA. To provide 
the fairness of a purchase, the proxy signature should represent both customer’s 
and server’s signatures. The validity of bid information is verified by comparing 
it with customer’s requirement. From the observation that the features of unde- 
tachable signatures are very similar to those of proxy signatures, we extended 
to provide an RSA-based SNPS scheme and applied it to mobile agent. 
Very similarly, we provided a Schnorr-based SMA scheme. In multi-proxy situ- 
ation, Schnorr-based SNPS can be used in very efficient manner because plural 
customers can share the same system parameters. 

Proxy signatures are very useful tools when one needs to delegate his/her 
signing capability to other party. But in distributed environment like the Inter- 
net, it is very difficult to assume the trustedness of original signer, proxy signer, 
and the proxy key issuing protocol between them. Because the delegation of sign- 
ing capability to others can be risky, proxy signature schemes should be designed 
carefully such that proxy signer’s responsibility is determined explicitly and any 
possibility of misuse is prevented. But if we can delegate signing capabilities 
safely using strong proxy signature schemes, many cryptographic applications in 
distributed environment such as electronic commerce and mobile agent can be 
implemented in more efficient and fiexible way. 
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Abstract. We investigate password authenticated key exchange (PAKE) 
protocols in low resource environments, such as smartcards or mobile de- 
vices. In such environments, particularly in the future, it may be that 
the cryptosystems available for signatures and/or encryptions will be 
based on elliptic curves, because of their well-known advantages with 
regard to processing and size constraints. As a result, any PAKE pro- 
tocols which the device requires should also preferably be implemented 
over elliptic curves. We show that the direct elliptic curve (EC) analogs 
of some PAKE protocols are insecure against partition attacks. We go 
on to propose a new EC based PAKE protocol. A modified version of 
the protocol for highly constrained devices, such as smartcards, is also 
presented. 



1 Introduction 

A protocol that allows two parties to agree on a shared secret key is commonly 
known as a key exchange protocol. The protocol is said to be authenticated if the 
protocol authenticates one party to the other during the protocol run. Further, 
if the means of authentication is by a simple password known by both entities, 
the authenticated key exchange protocol is said to be password-based. 

Recently, password authenticated key exchange (PAKE) has received signif- 
icant interest from the research community. One of the reasons for this is that 
PAKE protocols can be used to establish an authenticated and secret channel 
between two parties without relying on the existence of a Public Key Infras- 
tructure (PKI), and provides security against both active and off-line dictionary 
attacks. This is certainly appealing in many environments where the deployment 
of a PKI is not possible or would be overly complex. 

The first PAKE protocol, known as Encrypted Key Exchange (EKE), was 
suggested by Bellovin and Merritt |3j . Subsequently many other PAKE protocols 
have been proposed. Nonetheless, most of the protocols have been proposed for 
only RSA or Discrete Logarithm (DL) settings so far. It seems that most authors 
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have presumed that the adaptation of DL based protocols to the elliptic curve 
(EC) environment is straightforward. To the best of our knowledge, no concrete 
EC based PARE protocol has been proposed in the literature. 

In a low resource environment, the natural choice for cryptographic protocols 
would be an EC implementation. This is due to the low computation and storage 
costs of EC based protocols. Since EC primitives may be the only ones available 
in certain environments, it is important to study the precise adaptation of DL- 
based PARE protocols to an EC setting. 

In this paper, we investigate EC analogs of PARE protocols. We show that 
direct EC analogs of the ERE protocol and its variants are susceptible to parti- 
tion attacks. We then go on to propose an EC encrypted key exchange protocol 
that is secure against partition attacks. We further propose a modification of 
the protocol for low resource {e.g. smartcard) applications. Here we stress that 
the EC analogs of other PARE protocols such as SPERE0 or PAR0 do not 
immediately appear to suffer from the partition attack described in this paper. 

The remainder of this paper is organized as follows. Section 2 gives an intro- 
duction to PARE. This includes a discussion on the possible attacks against a 
PARE protocol. Section 3 gives a detailed description of the ERE protocol. A 
discussion on how a partition attack can be applied to the protocol is also given 
in this section. Section 4 reviews the concept of elliptic curves and twisted ellip- 
tic curves, establishing some notation and elementary results for the subsequent 
sections. Section 5 proposes a new elliptic curve encrypted key exchange proto- 
col. In the section, we also justify our solution by showing that trivial solutions 
are insecure against partition attacks. A modification of the proposed protocol 
for smartcard applications is also included in the section. This has a DL analog, 
which is briefly described and discussed. Finally, conclusions are presented in 
Section 6. 

2 Password Authenticated Key Exchange 

In its simplest form, a PARE protocol involves two parties both possessing the 
same secret, referred to as the password. This password is typically short, since 
it usually has to be memorised by a human participant. The PARE protocol 
allows the involved parties to exchange information from which each party can 
derive a secret key. This secret key satisfies all requirements of a conventional 
Difhe-Hellman key exchange protocol. In particular, this shared secret key is not 
known to any parties not involved in the exchange protocol. Furthermore, the 
nature of password authentication ensures that a party can follow the protocol 
correctly (and thus be accepted by the other party) only if the party knows the 
correct password. During the protocol, a party can always detect whether the 
other party in the exchange possesses the correct password. 

The first PARE protocol was the ERE protocol proposed by Bellovin and 
Merritt |3|. The idea of their proposal is to use the password to symmetrically 
encrypt the protocol messages of a standard Difhe-Hellman key exchange. An 
attacker could decrypt the symmetric encryption by guessing the password but 
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could not tell whether the decryption results in a valid message. However, Patel 
subsequently showed that EKE protocols are susceptible to a partition at- 
tack (see below for further details) . The solution to prevent the partition attack, 
is to carefully choose the system parameters so that the attack is no longer appli- 
cable. Fortunately, such restrictions on the system parameters do not introduce 
any performance penalty or security issues. 

Another well-known PAKE protocol is Simple Password-authenticated Ex- 
ponential Key Exchange (SPEKE) proposed by Jablon 0. The idea of the pro- 
tocol is to involve the password in computing the base used in conventional 
Difhe-Hellman key exchange. The protocol also introduces two extra steps for 
authenticating the generated secret key for each party respectively. 

Recently two new PAKE protocols with provable security have been pro- 
posed. Bellare et al. P have given a specific variant of EKE which is provably 
secure in the ideal cipher model. The protocol of Boyko et al. P) is also a variant 
of EKE in which the symmetric encryption takes the form of multiplication in 
the Difhe-Hellman group; it is provably secure in the random oracle model. 

The security of a standard key exchange protocol may be measured against 
both passive attacks in which the adversary wiretaps valid instances of the key 
exchange protocol, and against active attacks in which the adversary may also 
masquerade as a valid protocol principal. Attacks may be aimed at obtaining 
information about the generated secret or about the long-term keying material. 

The classical Difhe-Hellman key exchange and its EC analog are known to 
be secure against passive attacks. However, it is clearly insecure against an im- 
personation attack, because of the lack of an authentication mechanism being 
deployed. To prevent such attacks long-term keys are required, which in a PAKE 
protocol takes the form of the password. The password allows each party in the 
protocol to authenticate the other party and thus prevents an adversary from 
impersonating an authorized party in the PAKE protocol run. 

However, the low entropy of a typical password opens a new possible attack 
against a PAKE protocol. This type of attack is often known as the off-line 
dictionary attack. In such an attack, the adversary tries to interact (even if un- 
successfully) with an honest party and also gathers information from exchanges 
between two honest parties. The adversary then applies a brute-force attack over 
the domain of the passwords (i.e. the dictionary) off-line. The attacker is success- 
ful if the gathered information can confirm which password in the dictionary is 
the valid one. A special class of the dictionary attack is the partition attack. In a 
partition attack, the adversary tries to use the gathered information to partition 
the password space (the dictionary) into feasible and infeasible passwords; if the 
latter set is large then the adversary may simply search through and eliminate 
all passwords in this set. Typically the correct password may be recovered after a 
number of valid sessions have been observed from the intersection of the feasible 
partition of the passwords for each session. 
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3 DifRe Heilman Encrypted Key Exchange 

In this section, we give an overview of the Diffie-Hellman based encrypted key 
exchange (DH-EKE) protocol. This is one of the three variants of EKE pro- 
posed by Bellovin and Merritt in PJ. We also provide a brief description of how 
a partition attack can be applied against the protocol. Patel jOj gives further 
details. 

3.1 The DH-EKE Protocol 

The DH-EKE protocol involves two parties, Alice - the initiator of the protocol 
and Bob. Alice and Bob share a secret password P that is not known to any 
other party. There is also a publicly known prime number p and a publicly known 
generator g of the field GF(p). Also a symmetric encryption algorithm Enc{), its 
corresponding decryption algorithm Dec{) and a one-way hash function 7t() are 
publicly known. A variant of the DH-EKE protocol is as follows (see also figure 



Alice 




Bob 


VA GF(p) 

gA <— mod p 


Encp(gji) 


tb GF(p) 

qb <— g^^ mod p 




Encp {qb ) ,Auth b 


gA ^ Decp{Encp{gA)) 
Kb ^ g’^ mod p 
AuthB ^ n{KB\\B) 


gs ^ Decp{Encp{gB)) 
Ka ^ mod p 

AuthA ^ U{Ka\\A) 
AuthB = H{Ka\\B) 


Authj^ 




AuthA=H{KB\\A) 



Fig. 1. A variant of the DH-EKE protocol 



1. Alice and Bob generate random numbers and vb and compute gA = 
g''^ mod p and gs = mod p respectively. 

2. Alice and Bob encrypt gA and gs using the shared password P to generate 
Encp{gA) and Encp{gB) respectively. 

3. Alice sends Encp{gA) to Bob. 

4. Upon receiving Encp(gA), Bob computes gA = Decp{Encp{gA)) ■ Bob then 
computes the key Kb = g^A ■ Bob then generates the authenticator AuthB = 
n{KB\\B) of Kb. 
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5. Bob sends Encp{gB) and Auths to Alice. 

6. Upon receiving Encp{gB) and AuthB, Alice applies Deep to Encp{gB) 
to recover gp- Alice then computes Ka = g^ and verifies that Authp = 
n{KA\\B). 

7. If the verification passes, Alice accepts Authp and sends to Bob AuthA = 
n{KA\\A). 

8. In turn, Bob checks that AuthA = 'hC{KB\\A). If the verification passes. Bob 
accepts AuthA- 

The protocol is successful if both Alice and Bob accept Authp and AuthA re- 
spectively. The generated key then is K = Ka = Kb- The completeness is due 
to Ka = g^B^ = = g^A^ = Kp- 

The protocol described here is not the exact description of the original DH- 
EKE. It is in fact an instance of the construction described by Bellare and 
Rogaway | 2 |. The difference between this protocol and the original DH-EKE 
protocol is the existence of values AuthA and Authp- These two values are to 
authenticate Alice to Bob and Bob to Alice respectively. In the original DH- 
EKE, a different authentication mechanism is used. Nonetheless both methods 
achieve the same goal. 

3.2 Variants of the DH-EKE Protocol 

The DH-EKE protocol can be modified in many ways. One type of variant 
changes the construction of the authentication part as shown above. 

Another modification that can be made to the protocol is to omit the encryp- 
tion with the password P by either Bob or Alice (but not both). Then instead 
of sending the encryption of gA or gp, Alice or Bob shall send the plaintext gA 
or gp to the other party. In this variant, the order of authentication between 
Alice and Bob must also be modified. The rule is that the party who does not 
perform any encryption in the first part, must initiate the authentication step. 
This prevents an active adversary using the authentication field to mount an 
off-line dictionary attack. Patel 0 discusses the security of such omissions in 
detail. 

3.3 A Partition Attack against DH-EKE Family 

Patel 0101 has shown that the DH-EKE protocol and its variants are susceptible 
to a partition attack if the values of g and p are not chosen carefully. 

If the value g is not a generator of GF(p) but only a generator of a subgroup of 
order q over GF(p), an adversary can mount a partition attack as follows. Firstly 
the adversary obtains Encp{gA) by wiretapping an exchange between Alice and 
Bob. Next, the adversary tries to decrypt Encp{gA) using a password Pi- If the 
password Pi is correct, the decryption will result in a value gA which is of order 
q- li Pi is not the correct password, it is likely that the decryption will result in a 
value which is not of order g. The probability that the decryption will result 
in a value of order r, rip — 1, for a random Pi is The attacker can check, by 
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raising the result to the power q and checking whether 1 is obtained, whether 
the order divides q. It can then be seen that the probability that 1 is obtained, 
for an incorrect password, is . Thus the possible space of valid passwords is 
reduced by a factor of on average, by observing one exchange session. Over 
a number of sessions the space of valid passwords will be narrowed down to a 
single password at a logarithmic rate. 

To avoid the attack, it is suggested that g has to be a generator of GF(p) and 
that if Alice is allowed to choose p and g for the protocol. Bob must check that 
g is indeed a generator. 

Similar partition attacks are possible if the value of p is not chosen carefully. 
In this case, if trial decryption of Encp{gB) with candidate passwords leads 
to values equal to or larger than p, then these candidate passwords may be 
eliminated. 

4 Elliptic Curves and Twisted Elliptic Curves 

In this section, we review the basic notation and definitions of elliptic curves, as 
well as the concept of the twist of an elliptic curve. This concept is crucial to 
the construction of our new protocol. 

The use of elliptic curve groups in public key cryptography was first proposed 
by Koblitz Pj and Miller |H]. Recently there has been much focus on such cryp- 
tosystems, with adoption in various standards, such as WAP PI|, IEEE P1363 
)TT) and ANSI X9.62 jI2j. This is because public key methods based on elliptic 
curve groups typically have lower processing requirements, and can achieve the 
same level of security with considerably shorter key sizes than cryptosystems 
based on the more traditional RSA and standard discrete logarithm schemes. As 
such, elliptic curve cryptographic systems are ideal for environments where pro- 
cessing power, time and/or network bandwidth are at a premium. Consequently, 
there is a drive for the adoption of elliptic curve based protocols in wireless 
environments and smartcard based applications. 

For the sake of simplicity, we consider the case of a curve in a field of charac- 
teristic greater than 3. For the case of characteristic two, analogous statements 
hold true eg. A more general discussion of twists of elliptic curves is given by 
Silverman M 

Following Blake et al ca, we consider a curve defined over the field K = 
GF(q), where q = p™ and p > 3 is a prime. Consider the curve in short Weier- 
strass form, i.e. 

Ea,b :Y^ = + aX + b. 

Set g{X) = X^ + aX -I- b, so that the equation of the curve becomes = g{X). 
As shown in the literature, we may define an additive (abelian) group on the 
set of points on this curve (taken together with the point at infinity). It is this 
group, and the discrete logarithm problem defined therein, which may be used 
to define cryptographic primitives. 

In the following sections, use shall be made of the concept of the twist of an 
elliptic curve. Consider then the curve Ea\b' where a' = v^a and V = v^b for 
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some V G K*. If we set gv{X) = v^g{X/v), then we have the equation of the 
curve Ea\b' given by = gy(X). However, Ea,b is isomorphic to Ea^b over K 
if and only ii A = u^a and B = u^b for some u G K*. Hence the curve Ea'^b' is 
isomorphic to Ea^b if u is a quadratic residue. Furthermore, if v is not a quadratic 
residue, then there is a unique such curve, up to isomorphism over K. This is 
called the twist of Ea^- [Note that over GF(q^) the original curve and its twist 
are isomorphic.] 

An observation (see e.g J3) that will be of use in the subsequent sections is 
the following. Consider X G K for which g{X) ^ 0. Then if g{X) is a non-zero 
quadratic residue, X is the ^-coordinate of a point on Ea^b- Otherwise, gy{vX) 
is a quadratic residue, and hence vX is the x-coordinate of a point on Ea'^b'- 
The following lemma summarises the relevant properties about the connection 
between a curve and its twist. 

Lemma 1. Let 

C = {X G K\g{X) is a quadratic residue in K} 

T = {X G K\gy{vX) is a quadratic residue in AT} 

Then 

1. C n T = 0. // g{X) ^ 0 then A £ C U T. 

2. X G C 4=^ g{X) ^ 0 and 3Y such that {X, Y) G Ea^b- 

3. X/v G T g{X/v) ^ 0 and 3Y such that (X,Y) G Ea\b' ■ 

Note also in the following sections that we will need to represent the points 
of the elliptic curve in a compressed form. Denoting the points naively, an affine 
point (A, Y) requires 2n bits, where n is the bit length of the underlying field. 
There is a trivial reduction to n-l- 1 bits by observing that, given A, the value of 
Y is one of the two solutions of a quadratic equation. A single bit may be used to 
distinguish between these two solutions. While this compressed form is clearly 
convenient and cost effective (particularly in situations in which transmission 
bandwidth is limited) in the following we shall see that it is essential in order to 
obviate simple attacks on the protocols described. 

In order for the elliptic curve Ea,b to be suitable for use in a cryptosystem, 
it is required that m- 

— the group has a subgroup of large prime order, 

— the curve is not anomalous {q = Na^ = p, where Na,b is the group order), 

— the curve satisfies the MOV condition j1 ,31 EJ (the smallest value of I such 
that q^ = 1 mod Na,b should be large). 

In the protocols we will describe in which both the curve and its twist are used, 
these properties are also required of the twist. [The order of the group of the 
twisted curve is given by the relation Na,b + Xa\b' = ‘2q+2, in the case that Ea',b> 
is the twist of Ea^b- Hence there is little additional effort required in verifying 
these properties hold for any generated curve and its twist over and above for 
the curve alone.] We shall assume in the following that the elliptic curves we use 
satisfy these security constraints. 
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5 Elliptic Curve Encrypted Key Exchange 

In this section, we present our elliptic curve encrypted key exchange (EC-EKE) 
protocol. We further show an unbalanced variant of the protocol. Such a protocol 
may be utilized in a situation in which one of the parties has limited processing 
power, such as communication between a smartcard or mobile device and a 
terminal or server. First, however, we will show that the direct EC analog of 
DH-EKE protocol is insecure and thus justify our design. 

Throughout this section, we shall use the notation of the preceding section, 
and consider a curve Ea^, together with its twist Ea'^', for suitably chosen a' 
and b' . For further simplicity, we restrict to the case q = p, i.e. consider the 
curve over GF(p). 

5.1 Trivial Protocols Are Insecure against Partition Attacks 

Following the usual methodology of replacing the DL group operations with 
operations in an EC group, the obvious procedure would be to design the EC- 
EKE protocol as the direct EC analog of a variant of the DH-EKE protocol. 

The principle of any variant of the DH-EKE protocol is that Alice, say, will 
encrypt and send the encryption of gA = to Bob. The direct analog in EC is 
that Alice will encrypt the point Ga = ta*G and send the encryption Eucp^Ga) 
to Bob. 

The trivial encryption method is to encrypt (Xa,Ya) in Eucp^Ga), where 
Ga = {Xa,Ya). In this case, the adversary can simply apply an off-line dictio- 
nary attack for a valid Encp{GA) by decrypting Encp{G a) with every password 
Pi in the password space. Clearly, if Pi is incorrect, the decryption should result 
in a random pair {Xi,Yi). Even if Xi, Yi G GF(p), the point (Xi,Yi) is on the 
elliptic curve Ea^b only if it satisfies 

=g{^i) mod p. 

This happens with a probability of order 1/p for a random pair {Xi, Yi) G GF(p)^. 
Typically the size of the password space is much less than p. Hence the adversary 
should be able to identify the correct password P given a single valid encryption 
Encp{GA) using such a dictionary attack. 

As discussed in the previous section, an alternative more compact form for 
the representation of, Ga of the point is its compressed form, in which the 
2 /-coordinate is replaced by a single bit. If the adversary applies a dictionary 
attack on the encryption Encp{G a) m this situation, the adversary will be able 
to recover the ^-coordinate Xi for the password choice Pi and a bit indicating 
which solution Yi to choose. If the password Pi is incorrect, Xi will be essentially 
random. Observe however that a random Xi is a valid a;-coordinate only if g{Xi) 
is a quadratic residue. ^From Hasse’s theorem (see e.g. P3|), we know that the 
number of such values Xi in GF(p) is in the range \{p+l) /2 — ,Jp, (p-|-l)/2-|-^]. 
Thus a random Xi in GF(p) is a valid a;-coordinate of Ea,b with a probability in 
the range [1/2 — 0(1/^), 1/2 -1-0(1/^)]. Hence the adversary can successfully 
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apply a partition attack by reducing the possible password space by roughly 
half given a valid Encp{G a) ■ This means the password can be recovered given 
a number of sessions of the order of the log of the size of the password space. 

5.2 An Elliptic Curve Encrypted Key Exchange Secure against 
Partition Attacks 

In the previous subsection, we have shown that the direct EC analog of any 
variant of the DH-EKE protocol is insecure. In this subsection, we propose a 
new EC-EKE protocol and show that the protocol is secure against partition 
attacks. 

In order to avoid the elementary attacks described in the previous subsec- 
tion, the simplest approach would be to ensure that any candidate ^-coordinate 
observed by an adversary is valid. This would then obviate the partition attack. 

We recall from LemmaQ]that for A € GF(p) for which g{X) ^ 0, then if g{X) 
is a non-zero quadratic residue, X is the a;-coordinate of a point on the curve. 
Otherwise, gy(vX) is a quadratic residue, and hence vX is the a;-coordinate of 
a point on the twist of the curve. Using this observation, an EC-EKE protocol 
is designed as follows. 

Let Ea'^b' be a twisted curve of Ea^b- Let G be a generator point of the 
curve Ea^b and H he a, point which generates the curve Ea\b' ■ Here we assume 
that the points in Ea^b and Ea\b> respectively form a cyclic group. There are 
two important remarks that should be made in relation to the choice of these 
parameters. 

— Generation of suitable curve/twist pairs will inevitably take considerably 
longer than when the properties of the twist are irrelevant. However, this is 
a one time setup cost and a single curve may be re-used for a large number 
of different users. 

— It is common to run Difhe-Hellman exchange in prime order subgroups in 
order to avoid small subgroup attacks. To preserve the properties which 
prevent partition attacks we have to use generators of the whole of the curve 
groups. Therefore we need to additionally require either that the curve group 
and its twist have prime order, or (more practically) check that all received 
values are not in any small subgroup. The latter may be achieved by making 
a number of simple checks depending on the factorisation of the curve co- 
factor. We regard this matter as an implementation detail and therefore 
ignore it in the protocol description. 

To generate a password-authenticated shared secret key K, Alice and Bob 
proceed as follows (see figure El): 

1. Alice randomly selects either the curve Ea,b or Ea\b' for use in this run of 
the protocol. 

2. Alice chooses a random rA and computes Ga = * G if the selected curve 

is Eafi or El A = rA* El otherwise. 
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Alice Bob 

Select Ea'fi' 

ta Gr GF(p) vb &r GF(p) 

Ha ^ ta* H 

{Xa,Ya)^Ha 

Encp^ (Xji/v\\yji) 

Y'Wv'a ^ Decpg{Encp^{XA/v\\yA) 
As g{X') is a quadratic non 
residue, X'a ^ vX' 
Recover H'a ^ {X’a, Y'a) 
Hb ^ tb * H 
Kb <— rs * H'a 
Gb €r Ea,b 
AuthB ^ H{Kb\\B) 

G Q ,Auth^ 

Ka ^ va * Hb 
AuthA ^ H{Ka\\A) 

AuthB =H{Ka\\B) 

Authj^ 

AuthA = H{Kb\\A) 



Fig. 2. The EC-EKE protocol: the chosen curve is the twisted curve Ea\b' 



3. Alice compresses the point Ga = (Ka, Ya) (or Ha = (Ka, Fa)) to (Ka, ua) 
where yA is a single bit representing Ya in the compressed form. 

4. If the (untwisted) curve Ea,b is chosen, Alice sends Encp^{KA\\yA) to Bob. 
Otherwise Alice sends Encpj^(KA/v\\yA) to Bob. 

5. Upon receipt of the ciphertext, Bob decrypts it to obtain K'\\y'A- If Bob finds 
that g(K') is a quadratic residue, then Alice’s chosen curve is the untwisted 
curve and the x-coordinate is = K' . Otherwise, Alice’s chosen curve is 
the twisted curve and the x-coordinate is K'p^ = vK' . 

6. Once Bob has determined the x-coordinate K'^, Bob recovers the point G'a 
(or from and yA- Bob also chooses a random value rp- Bob then 
computes Gp = Tp * G and Kp = rp * Ga if the untwisted curve is chosen 
by Alice and chooses a random point Hp on the twisted curve. Otherwise 
Bob computes the points Hp = rp * H and Kp = rp * Ha, and chooses a 
random point Gb on the untwisted curve. 

7. Next Bob sends the points Gp and Hp and the authenticator Authp = 
H(Kp\\B) to Alice. 

8. In turn, Alice computes Ka = r a* Gp if the untwisted curve Ea,b is chosen. 
Otherwise Alice computes Ka = rA * Hp. 

9. Alice then verifies Authp = H.(Ka\\B). If so, Alice sends AuthA = 'H(Ka\\A) 
to Bob. 

10. Finally, Bob verifies that AuthA = 'H(Kp\\A). If so, the protocol is com- 
pleted. 
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The shared secret key K is derived from Ka or Kb using a publicly known 
algorithm. As this step is not important in our protocol, we omit it here and 
simply assume that Ka and K b are Alice’s and Bob’s copy of the shared secret 
key respectively. 

The completeness of the protocol is as follows (assuming Alice chooses the 
untwisted curve - clearly a similar result holds in the other case). If Pa = Pb, at 
step 4, Bob will recover = Xa and thus can determine that Alice chose the 
untwisted curve at step 1. This means that at step 6, Bob will recover the point 
G'a = Ga that is chosen by Alice. Thus we have Kb = tb* G'a = VB*rA*G = 
ta*Gb = Ka and the checks 

AuthB = H{Kb\\B) = H{Ka\\B) 

and 

AuthA = n{KA\\A) = H{Ka\\A) 

follow. 



5.3 Security 

Formally proving the security for this protocol is difficult as this uses a sym- 
metric encryption scheme for which no formal proof model exists. Under passive 
attacks, the security of this protocol is based on the fact that both Ea^b and 
Ea'^b' are cyclic and G and H generate Ea,b and Ea',b' respectively. Thus the 
triplet {Ga, Gb,K} (or {Ha,Hb,K}) is indistinguishable from a random set in 
Ea,b (or Ea\b')- This implies that passive attacks are not feasible assuming that 
HO leaks no information to the attacker. For active attacks, we consider the 
protocol under three different types of attacks, namely impersonation attacks, 
off-line dictionary attacks and partition attacks. 

For the impersonation attack: 

— If the attacker impersonates Bob, the attacker will need to supply a valid 
AuthB to Alice given Encp^{XA\\yA) ■ Alice will accept AuthB only if 
AuthB = H{Ka\\B). This requires Bob to know Ka when Bob computes 
AuthB- This is possible only if Bob can derive the correct point Ga from 
the encryption Encpj^{XA\\yA)- This happens only if Bob knows the correct 
password. 

— If the attacker impersonates Alice, the attacker will have to give Bob the 
value EncpOXA\\yA) for a password Pi of the attacker’s choice. Unless Pi = 
Pa, the point G'a or H'j^ that Bob recovers will differ from the point Ga (or 
PIa) that the attacker has chosen in the first place. Bob accepts the protocol 
only if Bob accepts AuHa- This happens only if Ka = Kp or that the 
attacker is able to compute Kp- Assuming that 7f() is a random oracle, the 
attacker will have to compute Kp = rp * G'a (or rp * H'jO from Ga and 
Gb (or PIa and Pip)- This is solvable only if the attacker can solve the EC 
discrete logarithm problem for G'j,^ and Ga (or P['^ and PIa)- 
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For dictionary and partition attacks, an attacker can decrypt Encpj^{X\\y) 
using a password Pi to obtain (Xi\\yi) where Xi is random. However, as we 
have seen above, all Xi G GF(p) are valid, with the X where g(X) = 0 being 
sufficiently negligible in practise. Furthermore as Ea^t {Ea',b') is cyclic, the point 
Gi (or Eli) is indistinguishable from a random point under the EC Diffie-Hellman 
assumption. Thus the decryption gives no useful information about the plaintext 
to the attacker provided the value of p is chosen suitably, exactly as for DH- 
EKE as discussed in section fO and by Patel 0 . Note that it is essential in this 
protocol that the points be represented in compressed form prior to encryption. 
If not, then sufficient information will remain to perform a parition attack. 

5.4 An Unbalanced Variant for Smartcards 

As we have discussed, the use of EC methods is often advantageous in envi- 
ronments in which there are limited resources for computation. In severely con- 
strained devices, such as smartcards, further optimizations may be required. In 
this subsection, we describe a suitable protocol for this case. 

An example of the sort of situation we have in mind is that a user is required 
to authenticate to a smartcard by means of a password. The link between the 
user’s password entry device (a terminal) and the smartcard may be insecure. A 
PAKE protocol is an ideal solution for this particular problem. In this scenario, 
authentication of the card back to the user is not required. However, it may 
easily be added to our proposed protocol if required. 

The idea of the protocol is to optimize the number of scalar (EC) multi- 
plications that the card has to perform, since this is the operation which is 
computationally expensive. This is achieved by fixing the value ta generated by 
the card for all transactions. The price we pay is the loss of forward secrecy. 
However if we link this value to the secret stored in the card, the use of which 
the user authentication is there to protect, then if ta is compromised the secret 
in the card is compromised, and thus there is no longer anything to protect. This 
means that forward secrecy is no longer a significant requirement. 

The protocol is as follows. Again, we use the notation of sectional To set up 
the protocol, the card chooses either Ea^b or Ea',b'- For the sake of simplicity, let 
us assume that the card chooses Ea^b- The card then chooses a random value r^, 
preferably linked to the secret stored in the card. It then computes Ga = ta*G. 
The above process is performed only once. The card then stores va and Ga for 
future use. It also stores a counter c initially set to 0. When a user requires to 
establish a password-authenticated secret session with the card, the card and 
the user perform the following variant of the EC-EKE protocol: 

1. The card increases the counter c = c-|-l and sends to the user Encp^ {XaHua) 
where Xa is the x-coordinate of Ga and i/a is the bit representing the y- 
coordinate Ya of Ga- 

2. The user decrypts Encp^{XA\\yA) to obtain X' . The user then determines 
whether g{X') is quadratic residue and thus determines which is the chosen 
curve. In the case here, the user determines that Ea^b is the chosen curve. 
Then the user constructs the point G'^ from X'^ = X' and yA- 
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3. Next the user chooses a random value rs and computes Gb = tb * G and 
Kb = tb* G'jj^. Also the user chooses a random point Hb of Ea',b'- The user 
also constructs the authenticator Auth = H{Kb\\c). Then the user sends 
Auth, Gb and Hb to the card. 

4. The card computes Ka = ta* Gb and verifies that Auth = H{Ka\\c). If so, 
the card accepts the user and the protocol is completed. 

The advantage of this scheme is that the card only needs to perform a single 
scalar multiplication, a saving of one scalar multiplication compared with the 
original protocol. This reduces the computational requirement for the card by 
about a half. There is a potential replay attack on the protocol if an old Ka or 
Kb value is available to an attacker; this is discussed further below. 

It is clear that this protocol is secure against partition and dictionary attacks. 
A similar argument as for our EC-EKE protocol can be applied here. Imperson- 
ating the user would be as difficult as for the original protocol. This is because 
the tasks that the user has to perform and the card has to verify in regard to the 
user’s information remain unchanged. The value c is introduced to compensate 
for the fixing of rA- Thus, each session is different and a straight replay attack 
is not possible. 

5.5 Some Comments on the DL Analog 

For completeness, we make a few points regarding the DL analog of the above 
unbalanced scheme. The relevance is that the following discussion also touches 
on points of difference between the EC and DL schemes, showing again that the 
map between protocols is not always straightforward. 

There is a naive analog of the above EC protocol as follows. 

Let us suppose that we are working over the field GF(p) with g a generator. 
As before, the counter c is initialized to zero. In addition, the card chooses a 
random value ta, preferably linked to the secret stored in the card. It then 
computes gA = g^^ mod p, and stores ta and gA for future use. 

The protocol may then be as follows: 

1. The card increases the counter c= c + 1 and sends to the user Encpj^{gA)- 

2. The user decrypts this to obtain gA- 

3. Next the user chooses a random value tb and computes gB = mod p 
and Kb = o'a^'^ modp. The user also constructs the authenticator Auth = 
H{Kb\\c). Then the user sends Auth and ps to the card. 

4. The card computes Ka = gB'""^ mod p and verifies that Auth = H{Ka\\c). 
If so the card accepts the user and the protocol is completed. 

This naive protocol satisfies the same security properties as for the EC case. 
However, we note that compromise of Ka or Kb would allow an adversary to 
impersonate the user in subsequent protocol runs by replaying the compromised 
session. Though these values are temporary (the session key should be derived 
from them and then they should be deleted) and this vulnerability is therefore 
not of major significance, it is easily fixed by the following version of the protocol: 
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1. The card increases the counter c = c + 1 and sends to the user Encpj^{gA)- 

2. The user decrypts this to obtain gA- 

3. Next the user chooses a random value rp and computes gs = g'"^ mod p 
and Kb = g'j\^ modp. The user also constructs the authenticator Auth = 
H{Kb)- Then the user sends Auth and Encp^{c + gB) to the card. 

4. The card recovers gB and computes Ka = gB'"'^ modp and verifies that 
Auth = H{Ka)- If so, the card accepts the user and the protocol is com- 
pleted. 

Note that the tying of the counter c to the user’s DH value ps by the password Pb 
prevents the sort of replay attack noted above should Ka or Kb he compromised. 
Of course, compromise of ta is still fatal as discussed above. 

It is interesting to note however that there does not seem to be an EC analog 
of the above protocol. The encryption on the data sent by the user could be 
mapped, as we have done above, to a protocol using a curve and its twist. 
However, the card would also have to use the same protocol ideas, and the user 
and card cannot make an independent choice of curve to use, i.e. if the card 
chooses the twisted curve then so must the user. A partition attack therefore 
becomes feasible again. We omit the details, but simply note it as an example of 
the distinction between DL and EC schemes which is not immediately apparent 
from a naive approach. 



6 Conclusion 

Motivated both by the recent interest in TAKE protocols and by the uptake of 
EC cryptographic schemes, we have considered the transition of the DL based 
TAKE protocol DH-EKE to the EC environment. We have demonstrated that 
the naive EC analogs of such schemes are vulnerable to partition attacks. Fur- 
thermore, we have proposed a secure EC variant, using the concept of the twist 
of an elliptic curve in order to render the effectiveness of the partition attack 
negligible. Unbalanced schemes, in both the DL and EC settings, adapted to 
severely resource limited participants on one side of the protocol, have also been 
proposed and examined. It is observed throughout that the transition to EC 
schemes cannot be made naively, and it is suggested that distinct protocols for 
the DL and EC environments may need to be considered. 

Further development of these ideas is the subject of ongoing work. In partic- 
ular, given that a curve and its twist over GF(p) are isomorphic over GF(p^), it 
might seem that the problems touched on in section 15. 51 regarding introducing 
encryption of the data sent by both parties may be resolved if the two parties 
are able to derive the shared secret elliptic curve point in this larger structure. 

Note that though PAKE schemes such as SPEKE 0 and PAK ^ do not 
immediately appear to suffer from the problems encountered above in transition- 
ing to an EC analog, further investigation is required to clarify this statement. 
We have at the very least demonstrated that the development of EC analogs of 
PAKE protocols can be non-trivial. 
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Abstract. The market for Personal Digital Assistants (PDA) is growing 
rapidly and PDAs are becoming increasingly interesting for commercial 
transactions. One requirement for further growing of eCommerce with 
mobile devices is the provision of security. We implemented elliptic curves 
over binary fields on a Palm OS device. We chose the NIST recommended 
random and Koblitz curves over GE(2^®®) that are providing a sufficient 
level of security for most commercial applications. Using Koblitz curves 
a typical security protocol like Diffie-Hellman key exchange or ECDSA 
signature verihcation requires less than 2.4 seconds, while ECDSA sig- 
nature generation can be done in less than 0.9 seconds. This should be 
tolerated by most users. 



Keywords: Elliptic Curves, Koblitz Curves, Binary Fields, Palm OS 

1 Introduction 

The market for Personal Digital Assistants (PDA) is growing rapidly and PDAs 
are becoming increasingly interesting for commercial transactions. For eCom- 
merce, provision of security is a must. Since elliptic curve cryptosystems are a 
promising match for embedded systems because of their short operand lengths 
and efficient arithmetic, we implemented elliptic curves over binary fields on a 
Palm OS device to investigate if today’s PDAs are sufficient for secure trans- 
actions. The most popular PDAs use the Palm Operating System (Palm OS). 
We used a Handspring Visor model with 2 MB of memory. This device has a 
Motorola Dragonball CPU that provides eight data registers and seven address 
registers, all of them 32-bit in size US!- The processor offers 16-bit and 32-bit 
operations and runs at 16 MHz. To the author’s knowledge there were only two 
elliptic curve implementations on a Palm Pilot reported yet. In |2j PGP was 
ported to wireless devices and P| analyzes electronic commerce applications on 
a Palm Pilot. However, the first implementation was not optimized for the Palm 
Pilot while the second one uses a commercial library. Both papers also point out 
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that the popular RSA system is very slow on a Palm Pilot. For most electronic 
commerce applications the security provided by elliptic curves over 
should be sufficient as long as there are no substantial improvements in solving 
the elliptic curve discrete logarithm problem (DLP). This bit length is often con- 
sidered to be security-equivalent to RSA with 1024-bit key length p. We chose 
the NIST recommended random and Koblitz curves over GF(2^®^) and selected 
binary curves since the integer multiplication unit of the Dragonball processor is 
very slow. Koblitz curves allow shorter run times while they provide nearly the 
same level of security according to current knowledge about attacks. Our imple- 
mentation is mostly based on the algorithms used in a comprehensive software 
implementation for a PC 0] and Solinas’ work about Koblitz curves m- 

2 Arithmetic in GF{2'^) 

2.1 Field Representation 

For our implementation we used a polynomial basis representation. Let f{x) = 
irreducible binary polynomial of degree m with small weight, 
that is a trinomial or pentanomial. The elements of GF(2"*) are represented by 
the binary polynomials of degree at most m — 1. Addition and multiplication 
in GF(2’”) are performed as polynomial operations modulo /(x). An element 
a G GF(2™) is written as the polynomial a(x) = stored as 

binary vector a = (um-i, ■ • ■ , ao)- We store a in an array A of 16-bit words of 
size s = [m/16] and write A = (A[s — 1], ... , A[0j). The rightmost bit of A[0] is 
oo and Um-i is part of A[s — 1]. The bits left of Om-i are set to zero. For our 
implementation we used an array of twelve 16-bit words to store an element of 
GF(2^®^) such that we can also consider A to be an array of s' = 6 32-bit words. 



2.2 Addition 

Addition over binary fields is performed by a bitwise XOR. Since the Motorola 
Dragonball CPU performs one 32-bit XOR faster than two 16-bit XORs [ig we 
add two binary vectors A and B by performing five 32-bit XORs and one 16-bit 
XOR. We denote this operation by 0. 

2.3 Multiplication 

To compute c = a • b we first compute the polynomial c'(x) = a(x) • b{x) and 
then reduce it to c(x) = c'(x) mod /(x). 



Polynomial Multiplication Algorithm[Ocomputes c' = a-bhy using a window 
method P3- First polynomials Bu = u ■ b{x) are precomputed for 0 < rt < 2“ 
where w is the window size. In each step of the loop w bits of a are considered. 
We unrolled the two nested FOR loops completely which resulted in a slight 
performance gain. By C{j} we denote the bit vector (G[s— 1], . . . , C[j]). In step 
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Algorithm 1 Comb method with window size w = 4 
INPUT: Binary polynomials a{x) and b{x) of degree at most m — 1. 
OUTPUT: The binary polynomial c' (x) = a(x) ■ b(x). 

1: Compute Bu{x) = u{x) ■ b{x) for all polynomials u{x) of degree at most 3. 
2: C'^0 

3: for i = 3 down to 0 do 
4: for j = 0 to s — 1 do 

5: Let u = (u 3 ,U 2 ,ui,uq), where Uk is bit (4i + fc) of A[j]. 

6: C'{j} = C'{j} © 

7 : end for 

8: if i 7 ^ 0 then 

9: C ^ C'x^ 

10: end if 

11: end for 
12: Return c'{x) 



6 the m-bit vector is added to C where the rightmost bit of is added to 
the rightmost bit of C'{j}. 

We also experimented with the Karatsuba Algorithm [Z] as described in Algo- 
rithm El However, our results were always slower than the above described comb 
method. We implemented the Karatsuba Algorithm three times recursively and 
applied the comb method with windows size w = 3 to the resulting degree-20 
polynomials. 



Algorithm 2 Karatsuba Algorithm 

INPUT: Binary polynomials a{x) and b{x) of degree at most m — 1. 
OUTPUT: The binary polynomial c' (x) = a(x) ■ b(x). 

1: Write a(x) = ai(x)x"‘'^^ + ao(x) and b(x) = bi(x)x"‘^^ + bo(x) 

2: Do(x) ^ ao(x)bo(x) 

3: Di(x) ^ ai(x)bi(x) 

4: B 2 (x) ^ (ao(x) © ai(x))(bo(x) © bi(x)) 

5: c'(x) ^ Bi(x)x'^ © (D 2 (x) © Do(x) © Di(x))x’"^^ © Do(x) 

6: Return c'(x) 



Polynomial Reduction If f(x) is a trinomial or a pentanomial with middle 
terms close to each other, reduction of c'(x) modulo f(x) can be efficiently 
performed one word at a time. Algorithm 0 performs the modulo reduction by 
f(x) = + x^ + X® + x^ + 1. It is based on the fact that 

x^®^ = x^ + X® + x^ + 1 mod /(x) 



^324 ^ ^168 ^167 ^164 ^161 
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A word C[i] is now reduced by adding C[i] four times to C, with the rightmost bit 
of C[i] properly aligned as described on the right side of the above congruences. 
For example, reduction of C[9] is performed by adding Cp] four times to C, with 
the rightmost bit of C[9] added to the bits 132, 131, 128 and 125 of C. Note that 
we used 32-bit arithmetic and 32-bit words since XOR and shift operations for 
32-bit words have lower runtime than for two 16-bit words. Therefore the array 
value C[0] describes the bits 0 to 31 of the value c. 



Algorithm 3 Modular reduction by f{x) = + 1 

INPUT: A binary polynomial c{x) of degree at most 324. 

OUTPUT: c{x) mod f{x). 

1: for i = 10 down to 6 do 
2: T ^ C[i] 

3: C[i - 6] ^ C[i - 6] © (T « 29) 

4: C[i - 5] ^ C[i - 5] © (T « 4) © (T « 3) © T © (T >> 3) 

5: C[i - 4] ^ C[i - 4] © (T » 28) © (T » 29) 

6: end for 

7: T ^ C[5] AND OxFFFFFFFS 

8: C[0] ^ C[0] © (T << 4) © (T << 3) © T © (T >> 3) 

9: Cil] ^ C[l] © (T >> 28) © (T >> 29) 

10: C[5] ^ C[5] AND 0x00000007 
11: Return (C[5], ..., C[0]) 



2.4 Squaring 

Squaring in GA(2"*) is a linear operation and much faster than multiplying 
two arbitrary elements ini. To square a{x) = compute a{x)^ = 

which is obtained by inserting a 0-bit between consecutive bits of 
the binary representation of a. The result is reduced modulo /(x). Algorithm 0] 
describes how this can be done using a precomputed table. As before we used 
32-bit words and 32-bit operations. 



2.5 Modular Division 

Instead of using the Extended Euclidean Algorithm to compute an inversion, we 
used Algorithm 0 to compute a modular division | directly CBl It has roughly 
the same running time as the Extended Euclidean Algorithm and therefore saves 
one multiplication to compute a field division. Note that division by x is accom- 
plished by a right-shift operation. The comparison between two elements a(x) 
and b{x) is done by considering the bit vectors a and b as integers. 
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Algorithm 4 Squaring in GF(2'") 



INPUT: a e GP(2™) 

OUTPUT: c = a^ G GP(2™). 

1: Precompute for each byte b = (67, . . . , bo) the 16-bit vector T{b) = (0, 67, . . . , 0, bo). 
2: for i = 0 to s' — 1 do 

3: Let A[i] = ( 43 ( 1 ], A 2 [i], Ai[i], Ao[i]) where Aj[i] are bytes. 

4: G'[2i]^(r(Ai[i]),T(Ao[i])) 

5 : C'[2i + l]^{T{Ao[i\),T{A2m 

6: end for 

7: c{x) = c'{x) mod f{x) 

8 : Return c(x) 



Algorithm 5 Modular Division in GF(2’") 



INPUT: a,fe / 0 e GP(2™) 
OUTPUT: c = f mod f{x) G GP(2™). 
1: u b,v fix), c <— a, d <— 0. 

2: while u ^ v do 
3: if u mod 2 = 0 then 

4: ft ^ I 

5: if c mod 2 = 0 then 



end if 

else if V mod 2 = 0 then 

w ^ 

if d mod 2 = 0 then 

X 

else 

^ ^ d®f(x) 

end if 

else if u > n then 

c^c©d 
if c mod 2 = 0 then 



end if 
else 

V ^ d^ced 

if d mod 2 = 0 then 
d^ 

X 

else 

^ ^ d®f(x) 

end if 
end if 
end while 
Return c{x) 
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2.6 Timings 

Table n displays the timings for one field operation. We spent most time imple- 
menting the comb method since the field multiplication is the crucial operation. 
Reduction and squaring can be implemented efficiently. Division is very expen- 
sive and will be avoided where possible. 



Table 1. Timings in ms. for one field operation 





time 


Multiplication 


Comb Method 


2.35 


Karatsuba 


4.41 


Reduction 


0.24 


Squaring 


0.49 


Division 


38.01 



3 Elliptic Curve Basics 

3.1 Arithmetic 

An elliptic curve over GF(2™) is defined by the (affine) curve equation 

E :Y^ + XY = + aX + b (1) 

where a,b G GF(2’”) and 6 yf 0. If a, 6 C GF{2), i.e., 6=1 and a = 0 or 1 
the curve has special properties that can be used for efficient arithmetic and it 
is called Koblitz curve. All points P = (x,y) that satisfy ([3 and an additional 
point at infinity O form a group E{GF{2^^^)). Assume Pi = (xi, j/i) ^ 0,P2 = 
{x 2 ,y 2 ) ^ O and P\ yf —P 2 - Then P 3 = (x 3 ,t/ 3 ) = P\ + P 2 is computed as 
follows. 

If Pi ^ P 2 

A 

X3 
2/3 

If Pi = P 2 



yi , 

h Xi 

Xi 

-t- A -j- a 

(xi -I- xs)A + X3 + yi 



A = 

X3 = 
2/3 = 



_ 2/1 + 2/2 

Xi -I- X2 

= A^ -|- A -l- xi -l- X2 -l- a 
= (xi -I- xs)A + X3 + yi 
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The group operation requires one division and one multplication in either 
case. By using projective coordinates as described later the division can be 
avoided. A scalar or point multiplication is defined as repeated addition via 

fc ■ P = P + . . . + P 
k times 

There are no efficient attacks known on elliptic curves. The DTP for random 
curves P(GP(2"*)) can be solved on average in 2™/^ steps, e.g., by using Pollard’s 
Rho method ng. Therefore a curve over GP(2^®^) is considered appropriate to 
obtain a secret key for a symmetric cipher with a key length of around 80 bits. 
An attack on Koblitz curves using the special structure shortens the running 
time by a factor of m- 

3.2 Point Representation 

If inversion in GF(2'^) is expensive relative to multiplications it may be more 
efficient to represent points in projective coordinates. Since a field division is 
more expensive than 10 multiplications we use projective coordinates as pro- 
posed in uni where the projective point (A, Y, Z) corresponds to the affine point 
(XlZ.YlZ'^). The doubling formula (X 2 ,Y 2 ,Z 2 ) = 2(Xi,Yi, Zi) for projective 
coordinates is given by 

'7 /72 V'2 

X2 = xf + bxf 

Y2 = bZfZ2 + X2 {clZ 2 + bZf) 

The projective form of the addition formula is 

(Ao, Po, Zo) + (Ai, Pi, Zi) = (A 2 , P 2 , P 2 ) 

For the special case Z\ = 1, i.e., (Ai,Pi) are affine coordinates this can be 
computed as follows: 

A = PiP2 + Yo, B = XiZo + Ao, G = ZoB 
D = B^{C + aZl), Z2 = G^ E = AC, X2 = A^ + D + E 
E = X2 + X1Z2, G = X2 + Y1Z2, Y2=EF+ Z2G 

In case that a = 0 or 1 point doubling requires 4 field multiplications. Mixed 
Point Addition requires 9 multiplication. We based all point multiplication meth- 
ods on these projective point doubling and mixed point addition. We only used 
affine point operations for point precomputations. 
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4 Random Curves 

4.1 Curve Parameters 

For our implementation we used a NIST recommended random curve m with 
the parameters 

a = 1 

6 = Ox 2 0A601907 B8C953CA 1481EB10 512F7874 4A3205FD 
and group order 

#E{GF{2^^^)) = 2 • 5846006549323611672814742442876390689256843201587 

NIST also recommends the randomly chosen base point G = {Gx, Gy) where 

Gx = 0x3 F0EBA162 86A2D57E A0991168 D4994637 E8343E36 
Gy = 0x0 D51FBC6C 71A0094F A2CDD545 B11C5C0C 797324F1 

4.2 Point Multiplication 

There are several methods known to compute kP G E(GF(2"‘)) where k « 2™. 
The binary double- and- add method m requires m doublings and m/2 addi- 
tions on average. The addition-subtraction method requires only m/3 additions 
on average HH. It is based on the nonadjacent form (NAF) of the coefficient 
k. NAF(fc) is a unique signed binary expansion with the property that no two 
consecutive coefficients are nonzero. It has the fewest nonzero coefficients of any 
signed binary expansion of k, on average m/3. Window methods precompute 
some values and operate on more than one bit of the coefficient k at the same 
time. Window methods also reduce the number of additions. The sliding window 
method uses a variable window size. It has an effect equivalent to using fixed 
windows one bit larger Q. On average this method requires m+l doublings and 
2*"“^ — 1 -F additions where w is the largest window size. A slight improve- 
ment can be gained by using a windowed addition-subtraction method 0. This 
is accomplished by using a windowed NAF. A width- rc NAF of fc is a unique 
expression k = where each nonzero kj is odd and less than 2“'“^ in 

absolute value, and among any w consecutive coefficients at most one is nonzero. 
This method requires m+l doublings and 2““^ — 1:;;/^ additions on average. 
A different approach for point multiplication based on Montgomery’s idea was 
proposed in PU . It requires 6m field multiplications and squarings and does not 
need any extra memory storage. 

If a fixed base point is used we can use precomputed points as done by the 
fixed base comb method |E]. Using 2“' precomputed points this method requires 
d — 1 doublings and (d — 1)(2“' — l)/2“ additions where d = \m/w~\. We im- 
plemented this method with a window size of re = 4 and w = 8. This requires 
2“^ = 16 precomputed points and 16 • 2 • 22 = 704 bytes, and 2® = 256 precom- 
puted points and 256 • 2 • 22 = 11264 bytes, respectively. The precomputed points 
can easily be stored on the Palm device. 
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4.3 Timings 

Table 0 displays the timings for one point multiplication on a Handspring Vi- 
sor with 2 MB of memory. The implementation was done in C using the Code 
Warrior IDE. One can see that the differences are relatively small. While the 
Montgomery method has always the same running time the other methods de- 
pend on the coefficient k. The timings were obtained by taking the average time 
of multiply test runs with random coefficients. When precomputed points can 
be used the running time is small. A typical key-exchange protocol like Difhe- 
Hellman or the ECDSA signature verification require one point multiplication 
by a random point and one point multiplication by a fixed point. This can be 
done in 3.5 seconds using the Montgomery method and fixed base comb method 
with w = 8. ECDSA signature generation requires a point multiplication by a 
fixed base point which can be done in 0.8 seconds. 



Table 2. Timings in sec. for one point multiplication on random curves 





time 


Addition-subtraction 


3.31 


Sliding windows {w = 4) 


3.07 


Width-ui addition-subtraction {w = 4) 


2.96 


Montgomery 


2.73 


Precomputation (Fixed base comb, w = 4) 


1.43 


Precomputation (Fixed base comb, w = 8) 


0.79 



5 Koblitz Curves 

Koblitz curves were first introduced in 0. All described facts and methods are 
due to Solinas m- The advantage of Koblitz curves is that point multiplication 
methods can be changed in such a way that point doublings is replaced by the 
Frobenius map. The Frobenius r : E{GF{p^)) E{GF{p^)) is defined as 

T{x,y) = (xP,yP). Since p = 2 this can be done efficiently using only two field 
squaring operations. There are two Koblitz curves that use a = 0 or a = 1. Let 
y, = (—1)^““ and r be the Frobenius map. It is known that (r^ -|- 2)P = yrE 
for all P £ E{GF{2'^)). Therefore r can be expressed as the complex number 
T = {y + '/^)j2. Since P 2 = yx every integer k can be expressed as 
tit + xq where ro,ri £ 2Z. The main idea is to replace a coefficient fc by a r-adic 
number k' = 2* with k = k' and to compute k' P. When computing 

k'P = k'i_^T’-~^{P) + . . . + EqP, a point multiplication is reduced to a sequence 
of point additions without point doublings involved. The r-adic representation 
of k has to be computed in such a way that it has short bit length. This is 
done using modulo reduction in Z[t]. Note that this reduction requires multi- 
precision integer arithmetic. 
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5.1 Curve Parameters 

Again we used a NIST recommended curve m with the parameters 

a = 1, 6 = 1 



and group order 

#A(GF(2^®3)) = 2 • 5846006549323611672814741753598448348329118574063 

NIST also provides the base point G = {Gx, Gy) where 

Gx = 0x2 FE13C053 7BBC11AC AA07D793 DE4E6D5E 5C94EEE8 
Gy = 0x2 89070FB0 5D38FF58 321F2E80 0536D538 CCDAA3D9 

5.2 Point Multiplication 

Similar to the addition-subtraction method for random curves we implemented 
a signed binary r-adic method that uses a reduced r-adic NAF of k. The t- 
adic NAF of k is the unique expression k = where ki e {—1,0,1} 

and no two consecutive coefficients ki are nonzero. Since the Frobenius map can 
be computed very efficiently the expected running time is to/ 3 point additions. 
The cost to compute the NAF of k is much more expensive than for random 
curves though. The method can be improved by using a window technique. This 
is called the r-adic width-w window method. It is based on the r-adic width-rc 
NAF that is defined very similar as the binary width-w NAF for random curves. 
This method requires 2““^ — 1 -F additions on average. As before we used 
mixed projective point addition. 

If a fixed base point is used precomputation reduces the time for one point 
multplication. This is easily achieved by applying the r-adic width-rc window 
method. Instead of precomputing points for each multiplication the points are 
only precomputed once such that the window size can be chosen larger. 

5.3 Timings 

Table 13 displays the values for one point multiplication. Note that the windows 
r-adic version with re = 4 is faster than with w = 5 although the later one has 
a slightly lower complexity. Also, precomputation using more points is not as 
efficient as for random curves since the computational overhead to compute the 
r-adic representation of the scalar k' increases. The usual time for a key exchange 
or signature verification is around 2.4 seconds while a signature generation can 
be done in 0.9 seconds. This is significiantly faster than for random curves. 

6 Conclusion 

We implemented a NIST recommended random and Koblitz curve over GF(2^®^) 
on a Palm OS device. A normal transaction such as a key exchange or signature 
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Table 3. Timings in sec. for one point multiplication on Koblitz curves 





time 


r-adic 


1.67 


r-adic width-ui {w = 4) 


1.51 


r-adic width-ui (w = 5) 


1.68 


Precomputation {w = 6) 


1.08 


Precomputation (w = 10) 


0.87 



verification can be done in less than 2.4 seconds while signature generation can 
be done in less than 0.9 seconds. Koblitz curves are particular suitable for these 
devices since they allow running times that will probably be tolerated by most 
users. 
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Abstract. We construct a variant of Weil pairing to reduce the elliptic 
curve discrete logarithm problem to the discrete logarithm problem in the 
multiplicative subgroup of a hnite field. We propose an explicit reduction 
algorithm using a new pairing and apply the algorithm to the case of two 
trace elliptic curves. 

Key words : Anomalous curve, supersingular curve, Weil pairing, elliptic 
curve discrete logarithm. 



1 Introduction 

The discrete logarithm problem for a general group G can be stated as follows: 
given a G G and f3 G G, find an integer x such that j3 = , provided that such 

an integer exists. The integer x is called the discrete logarithm of (3 to the base 
a. If we replace the group G by the elliptic curve group over a finite field then 
it is the elliptic curve discrete logarithm problem (ECDLP). 

In ^ and Koblitz and Miller independently propose how to use the 
group of points on an elliptic curve over a finite field to construct public key 
cryptosystems. The security of these cryptosystems is based upon the presumed 
intractability of computing logarithms in the elliptic curve group. The best al- 
gorithms known for solving this problem are the exponential square root attacks 
that can be applied to any finite group and have a running time that is propor- 
tional to the square root of the largest prime factor dividing the order of the 
group. In PI, Miller argues that the index-calculus methods, which produced 
dramatic results in the computation of discrete logarithms in the multiplicative 
subgroup of a finite field, do not extend to elliptic curve groups. Consequently, 
if the elliptic curve is chosen so that its order is divisible by a large prime, then 
even the best attacks take exponential time. 

The integrity of ECDLP cryptographic tools would be widely accepted, how- 
ever, there exist two exceptional families of elliptic curves ( i.e., supersingular 
and anomalous curves) and for each case powerful cryptanalysis method has been 
invented. But both classes of elliptic curves may be easily avoided in practice. 

At first Menezes, Okamoto and Vanstone ^ propose a subexponential time 
algorithm to solve the ECDLP over a supersingular elliptic curve E defined over a 
finite field Fq {q = p'^ , p > 3), the so-called MOV algorithm. It employed the Weil 
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pairing to reduce ECDLP to the discrete logarithm problem in a multiplicative 
subgroup of an extension field F^k oi Fq, k < 6. By using a variant of the Tate 
pairing, Frey and Riick |2| gave a generalization of this the discrete logarithm 
over the divisor class group of curves, we call this algorithm the FR algorithm. 
Furthermore, Balasubramanian and Koblitz Q showed that if we choose an 
elliptic curve at random over a prime finite field Fp whose number of Fp-rational 
points is prime, then the MOV algorithm on that curve is not effective with 
overwhelming probability. 

Recently, Semaev 0, Smart El, and Satoh and Araki 0 independently 
proposed a polynomial time algorithm (SSSA algorithm) for the ECDLP over 
an anomalous elliptic curve defined over a prime field Fp, i.e., an elliptic curve 
over Fp whose number of Fp-points is p. It is easy to see that we can also apply 
the SSSA algorithm to the discrete logarithm problem over the p-part of E{Fq), 
where q is a power of p. Semaev employs an algebraic geometrical approach, 
while Smart and Satoh- Araki employ a number theoretical approach to reduce 
the ECDLP over E to the additive group Fp. 

In this paper, we present the following results; 

1. We construct a variant of Weil pairing to reduce the ECDLP defined over 
Fq to the discrete logarithm problem in F*. 

2. We propose an efficient reduction algorithm for ECDLP over elliptic curves 
with trace two, more generally, elliptic curves with even trace under a special 
condition. 

2 Construction of Bilinear Pairing 

We want to construct a certain variant of Weil pairing with simple computation. 
Let E be an elliptic curve defined over a finite field Fq where q = p'^ for some 
prime p 2, 3. Let E{Fq) be the group of rational points of E over Fq. Suppose 
that E{Fq) contains a 2-torsion point and let a be a 2-torsion point in E{Fq). If 
a divisor Di = div{f) is principal, for any D 2 = n-iicti) S Div°(£’)i?^ such 

that supp(Di) n supp(D2) = 0, we let /(D2) = 01=1 /(“*)"’ where D\v^{E)f,, 
is the group of divisors of degree zero whose components are F^-rational. This 
value depends only on / since the constant disappears when taking the product 
over the points of a divisor of degree zero. We can define a bilinear pairing from 
E{Fq) X E{Fq) to Fq in the following way, 

< •,• >,: E{Fq) X E{Fq) ^ F; , < P,Q >a= fp{Q)/fQ{P). (1) 

where P is a divisor (P) — (O) corresponding to a point P G E{Fq) via an 
isomorphism from E to the divisor class group of E, Pic°(P). We can deduce 
that Pa — P = (P + a) — {a) — (P) -I- (O) is a principal divisor, by Cor 3.5 (pp. 
67) of oa, namely, there exists a rational function fp such that 



div{fp) = {P + a)-{a)-{P) + {0). 
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Similarly, there exists a rational function such that 

divUo) = {Q + a)- (a) - (Q) + (O). 

These rational functions are uniquely determined up to constants. In fact, this 
pairing is similar to the Weil pairing on the group of m-torsion point of elliptic 
curve E. 



Theorem 1. For the pairing < •, • >a given in (1), we have the following prop- 
erties. 



1. < •,• >a depends only on the divisor class. 

2. It is a bilinear pairing. 

3. It is alternative, i.e.,< P,Q >a=< Q,P 

Proof. (1) Let P' be linearly equivalent to P. Then we can express as P' = P+{g) 
for some rational function g. Thus we get 

ifp') = P' = Pa — P + {g)a — {g) = ifp) + {g)a — {g)- 

The value of < P, Q >o for P' is 

fp'iQ) ^ fpiQ)g{Q - a)g(-a)~^g(o)g(Q)~^ 
fgiP') fQiP)fQm 

Since a is a 2-torsion point, i.e., a = —a, 

g{Q-a)g{0) ^ g{Q -I a)g{0) ^ 
g{Q)g{-a) g{Q)g{a) 

and by Weil reciprocity law in Lang 0, pp.172, we have fgHg)) = ff((/g)). 
Hence we conclude that 

fP'iQ) fp(Q) 
fQip') fQipy 

namely, it is independent of the choice of a divisor in the same divisor class. 
Similarly, it is well-defined with respect to the second variable. If supp((/p))n 
supp(Q) 7 ^ 0, then we can find a divisor Q' = Q (g) such that supp((/p)) n 
supp(QQ = 0. Thus we can avoid the points at which the rational function are 
not defined. 

(2) We show < Pi + P 2 _,Q >a=< Pi,Q >a< P 2 ,Q >a- Since Pi P 2 is 
linearly equivalent to Pi P 2 , we get 



(Pi+P2)-(0)~(Pi)-(0) + (P2)-(0) 



by the square theorem 0. Thus we have 



■^Pl-|-P2 '(Q) _ fpi+P2(Q) 

/q(/YT7^) “ /q(A + P 2 ) 



fpMfpM 

/q(Pi)/q(P 2 ) 



= < Pi,Q >a< P2,Q >a 



It is also linear with respect to the second variable by the similar way. 
(3) It is obvious by definition. 
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We can easily find our rational functions in computation of the pairing of (1) 
using the following algorithm. 

Algorithm 1 

[Description] Algorithm for finding a rational function over E with a given 
divisor. 

[Input] A divisor of the form {P + Q)~ (P) — (Q) + (0) where P,Q & E{Fg). 
[Output] A rational function g such that {P + Q) — (P) — (Q) + (O) = (g). 

1. Find a line equation L : f{x, y,z) = ax + by + cz = Q in P^ through P and 
Q where a,b,c G Eg. 

2. Compute R the point of intersection of L with E. 

3. Find a line equation L' : f'{x, y, z) = a'x + b'y + c'z = 0 in through R 
and O where a',b',c' G Eg. 

4. Output g = f/f. 



How the algorithm yields an easy way to compute the rational function g; for a 
given divisor P = (P) — (O), let f{x, y,z) = ax + by + cz = 0 be the line L in 
P^ through P and Q. Also let R be the point of intersection of L with E and 
f'{x, y, z) = a'x + b'y + c' z = 0 the line L' through R and O. Then, from the 
definition of addition on E and the fact that the line z = 0 intersects E at O 
with multiplicity 3, we have 

div{f/z) = (P) + (Q) + {R) - 3(0) 

and 

dtvif'/z) = {R) + {P + Q)-2{0). 

Hence 

(P + Q) - (P) - (Q) + (O) = dtv{f/f). 

The rational function f / f is the function for which we are looking. 

Remark 2.2 

1. In fact, for general elliptic curves the image of this pairing is very tiny. Let 
N be the order of the elliptic curve E then we have 

1=<NP,NQ >,=<P,Q>f . 

Hence < P,Q >a has a order dividing gcd{N'^,q — 1). Thus this technique 
is meaningful when N = q — 1 or gcd{N, <7 — 1) is of size almost that of q, as 
will be seen in the next section. 

2. The similar procedure can be used to compute < •, • >o in the case J is the 
Jacobian variety of a hyperelliptic curve. 
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3 The Reduction 

In fact, the condition of the extension degree for the FR algorithm is usually 
weaker than that for the MOV algorithm, theorem 4.2 in jSj shows that the 
condition = 1 (mod 1) is equivalent to the condition E\i] C E{Fqk) if £ / g — 1 
(mod £), i.e., the effectiveness of the MOV algorithm is the same as that of the 
FR algorithm if g = 1 (mod £). The extension degree k is exponential in log q 
when I \q — 1. We consider the case of £ |g — 1. 

From a standard cryptographic view point, let \E(Fq) \ = 2-£, we may assume 
that £ is around q, then it is easy to see \E{Fg) \ = q — 1 when £ \q — l. Suppose 
that £ is a prime number. Let P € £'(Flj) be an element of order £ and R G< P >. 
Let a yf O be a 2-torsion point in E{Fg) . With the pairing described in section 
2, we can obtain the following theorem. 



Theorem 2. There exists some point Q G E(Fq) such that the map (j)Q^a\ < 
P >— > G defined by (f)Q^a{R) =< Q,R >a is a group isomorphism where G is a 
unique cyclic subgroup of F* . 

Proof. There exists a unique 2-torsion point a = —a since £ is prime. This 
we need not worry about the choice of the 2-torsion point. If we take Q be 
a non 2-torsion point in E(Fq) then we have an one to one homomorphism 
fig, a ■< P Fq since < P > has a prime order. 

We can introduce the following algorithm to reduce the ECDLP when \E{Fq)\ 
= q — 1 = 2 ■ £ where £ is a prime number, to the discrete logarithm problem in 
the multiplicative subgroup of a underlying finite field. 

Algorithm 2 

[Description] Reduction the discrete logarithm on F{Fq) to the discrete 
logarithm in F* 

[Input] An element P S E{Fq) of order £, R G< P >. 

[Output] An integer m such that R = mP. 

1. Find Q G E{Fq) such that a = 4>Q,a{P) has order £. 

2. Compute (3 = 4>Q^a{R)- 

3. Compute m, the discrete logarithm of to the base ain F*. 



Note that the output of Algorithm 2 is correct since 

= 4>Q,a{mP) =< Q,mP >a=< Q,p >r= 

Thus, in this case, the reduction step of Algorithm 2 takes polynomial time 
resulting in a probabilistic subexponential time algorithm for computing elliptic 
curve discrete logarithms in these curves. Thus, to select a secure elliptic curve, 
we must avoid elliptic curves of trace 2. 
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Remark 3.1 

1. In our cases, which are important ones for cryptographic reasons, unlike 
Algorithm 2 in MOV reduction, which can choose a point Q probabilistically, 
we can determine a point Q easily, because every non 2-torsion point of E{Fq) 
has a prime order Consequently, (1) in Algorithm 2 is independent to the 
choice of a point Q such that 2Q ^ O. 

2. We can compare our pairing with Weil pairing and Tate-Lichtenbaum pair- 
ing. The fast algorithm used to compute the Weil pairing following V. Miller 
consists in a twofold computation of the Tate-Lichtenbaum pairing. But the 
Tate-Lichtenbaum pairing is computable in 0(log q) steps, where one step 
is equivalent to the addition in E{Fq). But the computation of our pairing 
is much simpler than that of Tate-Lichtenbaum pairing because the compu- 
tation takes a constant number of multiplications in F*. 

3. In 13, Kanayama et ai, also proposed a reduction algorithm (KKSU algo- 
rithm) for the ECDLP over trace two elliptic curves. Their algorithm differ 
from the FR algorithm is faster than the FR algorithm. They confirmed 
that the reduction part of the proposed algorithm was 1.5 times faster than 
that of the FR algorithm. However the reduction part of our algorithm is 
faster than the KKSU algorithm since the computation of the pairing used 
to reduction consists of only a constant number of multiplications in F* . 

4. We know that, to resist the MOV attack, one only needs to check that n, 
the order of point P, does not divide — 1 for all small k foe which the 
DLP in Fqk is tractable- in practice, when n > 2^®*^ then 1 < fc < 20 suffices. 
More generally, the divisible check rules out all elliptic curves for which the 
ECDLP can be efficiently reduced to the DLP in some small extension of Fq. 
These include the elliptic curves of trace 2 as well as supersingular elliptic 
curves. 



We conclude that the we can reduce the discrete logarithm problem on trace 
two elliptic curves defined over Fq to the discrete logarithm problem on the 
multiplicative subgroup of a underlying finite field Fq. 
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